Social media platform X, formerly known as Twitter, is under fire in Austria as advocacy group NOYB (None of Your Business) filed a complaint against the company, alleging violations of the European Union’s General Data Protection Regulation (GDPR). The complaint centers on X’s alleged use of users’ personal data for training its artificial intelligence (AI) systems without obtaining proper consent, a move that could have significant legal ramifications for the platform owned by Elon Musk.
The Core of the Complaint
The complaint was submitted to data protection authorities in nine European Union countries, with the goal of pressuring the Irish Data Protection Commission (DPC) to take decisive action against X. The DPC, which is the lead EU regulator for many U.S.-based tech giants due to the location of their EU operations in Ireland, has been asked to suspend or restrict X’s processing of user data for AI training purposes.
NOYB, led by privacy activist Max Schrems, asserts that X’s actions are a clear violation of GDPR, which requires companies to obtain explicit user consent before processing personal data. According to Schrems, X has been using personal data collected from EU users to develop, train, and refine its AI systems without giving users the option to withdraw their consent before data collection began.
Irish Court’s Interim Ruling
Last week, an Irish court heard that X had agreed to halt the use of personal data for AI training until users were given the opportunity to withdraw their consent. However, the court also found that X had only provided this option to users several weeks after data collection had already started, raising further concerns about the company’s compliance with GDPR.
Despite X’s temporary agreement, NOYB’s complaint remains focused on broader issues. The group has criticized the DPC for not questioning the legality of the data processing itself and for not taking stronger measures to protect user privacy. Schrems emphasized the need for X to fully comply with EU law, which requires companies to ask for user consent before processing personal data, especially in cases involving sensitive applications like AI training.
X’s Response and Broader Implications
X has yet to provide a public response to the complaint, although the company’s Global Government Affairs account indicated on Friday that it would continue to cooperate with the DPC on AI-related issues. The complaint against X comes on the heels of a similar situation involving Meta, the parent company of Facebook, which was instructed by the Irish DPC to delay the launch of its AI assistant in Europe over concerns about data privacy.
The outcome of this case could have far-reaching implications for the use of AI in Europe, particularly regarding how companies collect and use personal data for machine learning purposes. It also underscores the growing scrutiny that major tech companies face in the EU over their data handling practices.
Future Actions and Potential Consequences
If the complaint leads to further action by the DPC, X could face significant fines and be forced to alter its data processing practices. The situation also highlights the importance of transparency and user consent in the rapidly evolving field of AI, where the use of personal data must be carefully regulated to protect individual privacy rights.
As the case unfolds, it will be closely watched by regulators, privacy advocates, and tech companies alike, as it may set a precedent for how AI and personal data are managed in the EU.
