The Irish Data Protection Commission has launched an investigation into X’s use of EU user data to train its AI system, Grok AI.
Ireland’s data regulator, the Data Protection Commission, has launched an investigation into social media platform X’s use of personal data collected from EU users to train its artificial intelligence system Grok AI. The announcement was made on Saturday, April 12, 2025. Reason for investigation The investigation focuses on whether X violated the EU’s strict General Data Protection Regulation (GDPR) by processing personal data obtained from EU users’ publicly accessible posts for the purpose of training a generative artificial intelligence model. DPC’s role The DPC is the lead EU regulator in the case as X’s EU operations are headquartered in Ireland. Under the GDPR, the DPC has the power to impose fines of up to 4% of a company’s global revenue if it is found to be in breach of the rules.
Previous legal case
The investigation follows a court case last year in which the Irish regulator sought an order to prevent X from processing EU users’ data for the purpose of developing its AI systems. At the time, X agreed that it would not use personal data collected from EU users to train its AI systems unless they had the option to withdraw their consent. The Irish regulator then ended court proceedings, as X agreed to these limitations on a permanent basis. Scope of investigation. The new investigation will focus specifically on whether X is complying with the GDPR, including whether data was processed lawfully and in accordance with transparency rules.
Grok AI’s training data
The sources of data used to train Grok AI include real-time social media content posted by X (Twitter), discussions and trending topics. Grok AI has access to real-time social media data, particularly due to its relationship with X, which can provide it with unique current insights compared to many other AI models. Public Internet Data Web crawling and indexing of publicly available online information. Curated Knowledge Base Structured information from reputable online sources. Grok AI is designed to incorporate more dynamic constantly updated information, unlike some AI models that rely only on static datasets. This approach allows the AI to maintain a more current understanding of world events, technological developments, and cultural trends.
Data Collection Transparency
One of the primary concerns related to Grok’s training data is the level of transparency regarding its sources. The specific datasets used by X are not disclosed, making direct comparisons with other AI models challenging.
GDPR and AI Training Data The GDPR regulates the processing of personal data, and it also applies to data used for training AI systems if that data includes information relating to identified or identifiable natural persons. The principles of the GDPR aim to ensure that personal data is processed responsibly and in an ethical manner. GDPR compliance requires consideration at various stages in the life cycle of an AI system Possible legal bases for data processing under the GDPR include
Legitimate interests
This can be a complex legal basis that requires an assessment of whether the legitimate interests of the data controller outweigh the rights and freedoms of data subjects. The European Data Protection Board (EDPB) has also adopted an opinion on the use of personal data for the development and deployment of AI models. This opinion considers when and how AI models can be considered anonymous, whether and how legitimate interest can be used as a legal basis for developing or using AI models, and what happens if an AI model is developed using unlawfully processed personal data. Irish Data Protection Commission investigations:
The DPC has the power to investigate and take enforcement action to ensure the protection of individuals’ privacy under the GDPR. Previous investigations by the DPC include Meta (Facebook), WhatsApp, and Twitter (now X).
Possible impact on X
If the DPC finds that X has violated the GDPR, the company could be hit with a hefty fine of up to 4% of its global revenue. Additionally, the DPC could order X to make changes to the way it processes EU users’ personal data to train its AI systems. This investigation could further inflame already existing tensions between the EU and the United States over tech regulations. Elon Musk, X’s owner, has previously criticized EU regulations.
Conclusion
The investigation launched against X by the Irish Data Protection Commission highlights how European regulators are increasingly restricting the use of AI development
