The Data Protection Commission (DPC) in Ireland has launched an inquiry into X, formerly known as Twitter, concerning its use of personal data to train its artificial intelligence (AI) chatbot, Grok. The probe, initiated on Friday, April 11, 2025, will investigate whether X's processing of publicly accessible posts from EU users complies with the General Data Protection Regulation (GDPR).
Specifically, the DPC is examining how X utilizes personal data from posts made by users within the European Union (EU) and European Economic Area (EEA) to train its generative AI models, particularly the Grok Large Language Models (LLMs). The inquiry aims to determine if this processing is lawful and transparent, adhering to GDPR's requirements.
Grok, developed by Elon Musk's AI startup xAI, is a group of AI models that power a generative AI chatbot available on the X platform. Like other LLMs, Grok is trained on a vast amount of data, including text scraped from the internet. The DPC's investigation is focused on a subset of this data controlled by X: personal data within publicly accessible posts by EU/EEA users.
This inquiry is not the first time X's data practices have come under scrutiny in Ireland. Last year, the Irish regulator addressed concerns about X's use of EU citizens' data for AI training, leading X to suspend the practice temporarily after a battle in the Irish courts. The current investigation will assess whether X has adhered to GDPR, including lawful data processing and transparency rules.
The DPC's action follows complaints filed in August by the privacy group Noyb in multiple European countries, alleging that X never informed its users that their data would be used to train AI models. According to Noyb, users only found out about the situation through a post by an X user in late July. X updated its terms of service in September to reflect that user data would be used for such purposes.
This probe is significant for several reasons. Firstly, it is one of the first major regulatory investigations into the use of social media content for AI training in the EU. Secondly, it arrives as AI developers face increasing scrutiny regarding their training data practices. Several class-action lawsuits have been filed in various jurisdictions alleging copyright infringement and unauthorized use of personal data.
The outcome of the DPC's inquiry could have far-reaching implications for the generative AI sector. It may clarify whether publicly available social media content can be legally repurposed for commercial AI training without explicit user consent. GDPR violations can result in significant penalties, with maximum fines reaching €20 million or 4% of global annual revenue, whichever is higher. Beyond potential financial penalties, the outcome could necessitate changes to how Grok models are trained and potentially even deployed within the European market.
In March 2025, xAI acquired X in an all-stock deal valued at $33 billion, putting both the data and the AI engine under the same leadership. The DPC's inquiry will examine the use of data controlled by X Internet Unlimited Company (XIUC), the newly renamed Irish entity responsible for X.
