Core Investigation Details

The Irish Data Protection Commission (DPC) confirmed on 17 June 2024 that its probe examines whether X’s data collection practices for Grok violate GDPR’s fundamental principles. Regulators particularly question the legal basis for using social media interactions – including private messages and deleted posts – as training material.

X’s Defense Strategy

X Corp maintains its training data consists of ‘publicly available information,’ citing GDPR Article 6(1)(f) regarding legitimate interests. However, NOYB privacy group founder Max Schrems counters: ‘Posting a meme doesn’t equate to consent for AI training – the DPC’s decision could redefine data ownership in the algorithmic age.’

Regulatory Domino Effect

This case coincides with France’s CNIL launching three generative AI probes in June 2024. The EU AI Act, formally adopted on 14 June 2024, now requires detailed documentation of training data sources, creating overlapping compliance requirements for tech firms.

Historical Compliance Patterns

Previous GDPR enforcement offers clues to potential outcomes. In May 2023, Meta faced a record €1.2B fine for EU-US data transfers. However, AI-specific cases remain untested territory. Gartner analyst Avivah Litan notes: ‘The 2021 GDPR amendment allowing 4% revenue fines for systemic violations gives regulators unprecedented teeth in AI matters.’

Parallels emerge with 2018’s GDPR implementation, when companies scrambled to audit data practices. Tech firms now face similar challenges adapting AI development pipelines to Europe’s strict ‘privacy by design’ requirements under both GDPR and the new AI Act.