Twitter’s AI plans hit with 9 more GDPR complaints

Artificial Intelligence
 /  12 August 2024

Recently, Twitter International (now re-branded as “X”) began unlawfully using the personal data of more than 60 million users in the EU/EEA to train its AI technologies (like "Grok") without their consent. Unlike Meta (which recently also had to stop AI training in the EU), Twitter did not even inform its users in advance. This went too far even for the Irish Data Protection Commission (DPC): Last week, it launched court proceedings against Twitter to stop the illegal processing, but the Irish DPC seems to have stopped short of fully enforcing the GDPR. noyb now follows up with nine complaints.

Screen showing Twitter's Grok logo

Personal data of 60 million people to train AI? As if Meta’s failed attempt to illegally use people’s personal data for AI projects did not send a clear enough message, Twitter is the next US company to just suck up EU users’ data to train AI. Twitter started irreversibly feeding European users’ data into its “Grok” AI technology in May 2024, without ever informing them or asking for their consent.

Irish DPC takes half-hearted action. Twitter’s blatant ignorance of the law has prompted a surprising response by the (notoriously pro-corporate) Irish DPC: The authority has taken court action against Twitter to stop the illegal processing and enforce an order to bring its systems into compliance with the GDPR. However, a court hearing last Thursday revealed that the DPC seems to have been mainly concerned with so-called “mitigation” measures and the fact that Twitter started processing while still being in a mandatory consultation process with the DPC under Article 36 GDPR. The DPC does not seem to go for the core violations.

Max Schrems, Chairman of noyb: “The court documents are not public, but from the oral hearing we understand that the DPC was not questioning the legality of this processing itself. It seems the DPC was concerned with so-called ‘mitigation measures’ and a lack of cooperation by Twitter. The DPC seems to take action around the edges, but shies away from the core problem.”

noyb applies for full investigation. Already during the first hearing, the Irish DPC has settled with Twitter (via a so-called "undertaking") to just pause further training of the algorithm with EU data until September. No determination on the legality was made and many questions remain unanswered. For example: What happened with EU data that was already ingested in the systems and how can Twitter (properly) separate EU and non-EU data? For this reason, noyb has filed GDPR complaints with the data protection authorities in nine countries, to ensure that the core legal problems around Twitter’s AI training are fully addressed. The more other EU DPAs get involved in the proceedings, the higher the pressure on the Irish DPC to follow through with its case and on Twitter to actually comply with EU law.

Max Schrems, Chairman of noyb: “We have seen countless instances if inefficient and partial enforcement by the DPC in the past years. We want to ensure that Twitter fully complies with EU law, which – at a bare minimum – requires to ask users for consent in this case.

Simple solution: Just ask users! The EU’s GDPR provides an easy solution for users to “donate” their personal data for AI development - just ask users for their clear consent to such processing. If just a small number of Twitter's 60 million users consented to the training of its AI systems, Twitter would have more than enough training data for any new AI model. But asking people for permission is not Twitter’s current approach, instead they just take user data without information to users or permission from them.

Max Schrems, Chairman of noyb: “Companies that interact directly with users simply need to show them a yes/no prompt before using their data. They do this regularly for lots of other things, so it would definitely be possible for AI training as well.

Business interests override users' fundamental rights? Normally, the processing of personal data is unlawful by default in the European Union. Therefore, in order to process personal data, Twitter must rely on one of the six legal bases under Article 6(1) GDPR. Although the logical choice would be opt-in consent, Twitter – much like Meta – claims that it has a "legitimate interest" that overrides users’ fundamental rights. This approach has already been rejected by the Court of Justice in a case concerning Meta’s use of personal data for targeted advertising. However, it seems that the Irish DPC has for the past months “negotiated” over the “legitimate interest” approach in a “consultation” procedure under Article 36 GDPR.

Max Schrems: “The facts that we now know from the Irish court proceedings indicate that the DPC has not really questions the core issue, which is taking all that personal data without user consent.

Information provided via “viral” X post. As mentioned above, Twitter has never proactively informed its users that their personal data is being used to train AI – even though it spams them with notifications every time someone likes or re-tweets their posts. On the contrary, it seems that most people found out about the new default setting through a viral post by a user named ‘@EasyBakedOven’ on 26 July 2024 - over two months after the AI training had begun.

How about other GDPR rights? At the moment providers of AI systems largely claim that they are unable to comply with other GDPR requirements, such as the right to be forgotten (Article 17 GDPR), once the data has been ingested into their AI systems. Similarly, companies tend to claim that they cannot answer requests to get a copy of the personal data contained in training data or the sources of such data (as required under Article 15 GDPR), not can they correct inaccurate personal data (as required under Article 16 GDPR). This raises additional questions when it comes to the unlimited ingestion of personal data into AI systems.

Large-scale GDPR breaches warrant emergency procedure. Given that Twitter has already started processing people’s data for its AI technology, and that there’s essentially no option to remove ingested data, noyb has requested an "urgency procedure" under Article 66 GDPR. Data protection authorities (DPAs) in nine European countries (Austria, Belgium, France, Greece, Ireland, Italy, Netherlands, Poland and Spain) received such a request on behalf of local data subjects. Article 66 authorises DPAs to issue preliminary halts in situations such as the one described above and allows for an EU-wide decision via the EDPB. The Irish DPC and Meta Ireland have already been subject to two "Urgent Binding Decisions" by the EDPB in similar situations (see Urgent Binding Decision 01/2023 and Urgent Binding Decision 01/2021).

Several GDPR provisions violated. In addition to the lack of a valid legal basis, it's highly unlikely that Twitter properly distinguishes between data from users in the EU/EEA and other countries where people don't enjoy GDPR protection. The same goes for sensitive data under Article 9 GDPR (for which the "legitimate interest" argument is not available under the law), such as data revealing ethnicity, political opinions and religious beliefs, as well as other data for which a "legitimate interest" could theoretically be claimed. With the introduction of its AI technology, Twitter appears to have breached a number of other GDPR provisions, including GDPR principles, transparency rules and operational rules. Overall, noyb's complaints list violations of at least Articles 5(1) and (2), 6(1), 9(1), 12(1) and (2), 13(1) and (2), 17(1)(c), 18(1)(d), 19, 21(1) and 25 GDPR.

Share