On April 11, 2025, Ireland’s data privacy watchdog, the Data Protection Commission (DPC), announced that it is investigating Elon Musk's social media platform X (formerly known as Twitter) over its use of personal data to train its artificial intelligence chatbot, Grok. This inquiry comes amidst growing concerns about privacy laws and the ethical use of user data in AI development.
The DPC's investigation focuses on whether X has lawfully processed personal data from publicly accessible posts made by European users. This scrutiny arises after X's controversial decision to continue developing its AI models despite a previous agreement to discontinue the use of personal data from EU users, which was established in 2024.
Last year, the DPC filed a lawsuit against X, accusing the platform of breaching data privacy regulations concerning the collection of publicly accessible posts. Although X agreed to cooperate with the DPC and halted its use of EU user data, the current investigation suggests that X may not have fully adhered to its obligations under the EU’s General Data Protection Regulation (GDPR).
The GDPR is one of the strictest data protection laws in the world, requiring companies to obtain clear consent from users before processing their personal data. The DPC is particularly concerned that X has not adequately informed users about how their data might be used for AI training.
“This inquiry considers a range of issues concerning the use of a subset of this data which was controlled by X Internet Unlimited Company,” the DPC stated in a bulletin. The commission’s investigation aims to determine whether X has violated the GDPR by processing this data without proper user consent.
The implications of this investigation are significant. If found in violation, X could face hefty fines of up to EUR 20 million or 4% of its total annual revenue. This could amount to a substantial financial penalty given X's global revenue, which is estimated to be in the billions.
In the past, the DPC has not hesitated to impose significant fines on major tech companies for similar breaches. For instance, in 2024, the commission fined Meta and LinkedIn over €650 million for GDPR violations. Since 2021, the DPC has collected over €2.5 billion in fines from Meta alone, highlighting its aggressive stance on enforcing data protection laws.
As the investigation unfolds, it raises critical questions about the ethical implications of using social media data for training AI systems. The DPC's inquiry is not just about compliance with legal standards; it is also about ensuring that users are informed and have control over their personal data.
In 2024, X updated its privacy policies, allowing user data from public posts to be shared with xAI, the artificial intelligence company also owned by Musk. This change, made with little public notice, has drawn criticism from privacy advocates who argue that even publicly shared posts should not be used without explicit consent from users.
The DPC’s investigation comes at a time when the use of AI is becoming increasingly prevalent in various sectors, raising concerns about data privacy and user rights. As companies like X push the boundaries of technology, regulators are tasked with ensuring that user rights are not compromised in the pursuit of innovation.
Musk and representatives from X have not yet issued a public statement regarding the investigation. However, the scrutiny from the DPC could have broader implications for how tech companies operate in Europe, particularly in relation to data privacy.
With the DPC acting as the lead regulator for X in Europe, the outcome of this investigation could set a precedent for how similar cases are handled in the future. As the inquiry progresses, many will be watching closely to see how it impacts not only X but also the broader landscape of data privacy and AI development.
The DPC’s investigation underscores the ongoing tension between technological advancement and the protection of individual privacy rights. While AI has the potential to revolutionize various industries, it is essential that companies prioritize ethical practices and transparency in their operations.
As the investigation continues, the DPC will be examining not only the specific practices of X but also the broader implications for how personal data is handled in the age of AI. The outcome could influence future regulations and the responsibilities of tech companies in ensuring that user data is treated with the utmost respect.
For now, the focus remains on whether X has adequately informed its users and obtained the necessary permissions for using their data in AI training. The DPC’s findings will likely have significant implications for how social media platforms engage with user data and the extent to which they can utilize it for technological advancements.
As we await further updates from the DPC, it is clear that the intersection of AI and data privacy will continue to be a hot topic in the coming years. The outcome of this investigation could shape the future of data protection laws and the responsibilities of companies operating in the digital space.
