On Friday, April 11, 2025, Ireland's Data Protection Commission (DPC) announced it is investigating Elon Musk's social media platform X over its use of personal data to train the artificial intelligence chatbot Grok, developed by Musk's xAI. This inquiry is part of the European Union's stringent data privacy regulations, known as the General Data Protection Regulation (GDPR).
The DPC has opened an investigation into the processing of personal data from publicly accessible posts made by European users on X. The primary aim of this inquiry is to determine whether this personal data was processed lawfully in order to train Grok's large language models (LLMs). According to the DPC, "the purpose of this inquiry is to determine whether this personal data was lawfully processed in order to train the Grok LLMs" under the bloc’s data privacy law.
Since its launch in December 2024, Grok has been available to all users of X, allowing it to generate biographies and other content based on user data. However, the DPC is now scrutinizing whether the personal data of EU users was processed in compliance with GDPR requirements, particularly regarding transparency and legality.
The DPC has significant enforcement powers, which include the ability to impose penalties of up to 20 million euros or 4% of a company's total annual revenue for severe violations. This power becomes particularly relevant as the inquiry unfolds, given the potential implications for X, which operates its European headquarters in Dublin.
In the summer of 2024, the DPC had initiated a prior investigation into X regarding the alleged unlawful processing of user data for training Grok. Following that inquiry, X committed to permanently refrain from processing EU users' data for this purpose and deleted all previously processed data used in the training of Grok. Despite these actions, consumer organizations such as Euroconsumers, Altroconsumo, and the European Center for Digital Rights (Noyb) filed complaints against X in August 2024, alleging multiple violations of GDPR.
As the current investigation progresses, it remains unclear whether the DPC will find sufficient evidence to impose penalties on X, now officially known as X Internet Unlimited Company following its rebranding from Twitter International Unlimited Company on April 1, 2025. The outcome of this inquiry could have significant ramifications not only for X but also for the broader landscape of data privacy and artificial intelligence usage in Europe.
The DPC's role as the lead regulator for X in Europe is crucial, given the platform's extensive user base and the sensitive nature of the data involved. The investigation highlights ongoing concerns regarding how social media companies handle user data, especially in light of the rapid advancements in AI technology.
The inquiry into Grok is part of a broader trend of increased regulatory scrutiny on AI technologies and their compliance with data protection laws. As AI continues to evolve, the legal frameworks surrounding its use are also being tested, and regulators are keen to ensure that user privacy is upheld.
While X has not yet responded to the DPC's latest inquiry, the company has previously stated its commitment to compliance with EU regulations. However, the mounting pressure from consumer advocacy groups and regulatory bodies suggests that the challenges facing X—and similar platforms—are far from resolved.
The DPC's investigation is expected to take some time, and the findings could prompt further actions not only against X but also against other companies operating in the AI space. As the inquiry unfolds, stakeholders across the tech industry will be watching closely, as the implications could set precedents for how personal data is handled in the age of artificial intelligence.
In conclusion, the investigation into Grok underscores the delicate balance between innovation and regulation. As AI technologies become increasingly integrated into our daily lives, ensuring that user data is handled responsibly will be paramount. The outcome of this inquiry could shape the future of AI development and data privacy standards across Europe.
