In August 2024, the European Center for Digital Rights (noyb), co-founded by privacy advocate Max Schrems, filed a series of complaints against X (formerly Twitter), the social media platform owned by Elon Musk. The nine complaints, lodged in nine different countries, focus on X’s use of personal data to train its Artificial Intelligence (AI) technologies. In this article, we will take a closer look at noyb’s arguments. For clarity, this article will refer to the defendant as “Twitter.”

The Core of the Complaint: Inappropriate Legal Basis

noyb’s complaints center on Twitter’s introduction of a default setting that automatically processes the personal data of over 60 million EU/EEA users to train its AI model, „Grok.“ This data includes posts, interactions, and other user activities on the platform. The complaint argues that this processing lacks a clear legal basis, with Twitter relying on vague justifications under Article 6(1)(f) of the GDPR, which pertains to „legitimate interests.“

However, noyb contends that Twitter’s actions fail to meet the GDPR’s requirements for invoking this legal basis. For processing to be grounded in legitimate interest, the controller’s interest must not be overridden by the rights and freedoms of data subjects. This requires a legitimate interest assessment, which involves evaluating the legitimacy and necessity of the processing and performing a balancing test.

noyb argues that Twitter fails to establish a legitimate interest as required by the GDPR. While the company claims to process data to train AI models, it does not clearly specify the purpose of this training. The complaint further argues that profit-seeking alone is not a legitimate interest, and that GDPR-recognized legitimate interests are typically defensive in nature (for example, fraud prevention) which is not the case at Twitter.

Moreover, noyb suggests that Twitter’s broad data extraction likely does not differentiate between sensitive and non-sensitive data, hindering its ability to rely on legitimate interest. Article 9 of the GDPR, which governs special categories of personal data, does not allow their processing based on legitimate interest.

Regarding necessity, noyb argues that the processing of personal data is not „strictly necessary“ as required by the GDPR, especially given the undefined purposes and the availability of less invasive alternatives, such as training on smaller datasets.

Finally, noyb contends that the processing fails the balancing test due to the extensive use of personal data, the uncertainty surrounding the purpose, the lack of transparency, and the fact that the processing exceeds users’ reasonable expectations. As a result, noyb concludes that Twitter cannot rely on Article 6(1)(f) of the GDPR, legitimate interest, for their AI training operation.

Lack of Transparency and Other Violations

In addition to the absence of a legal basis, noyb highlights other potential violations by Twitter. The organization argues that Twitter fails to provide transparent information that would enable users to understand exactly how their data is being processed for the training of „Grok.“ Even more concerning, Twitter allegedly seeks to prevent data subjects from exercising their rights by complicating the process of objecting to the processing and making it available only on their web version and not the mobile app.

noyb also points out deficiencies in Twitter’s privacy policy, which it claims does not include all the necessary information required under Article 13 of the GDPR to ensure appropriate and transparent information is provided to data subjects. Additionally, it notes that users cannot object to or erase their data once it has been used to train the AI, as it is nearly impossible for AI models to „forget“ data.

What is next for Twitter?

As major tech companies engage in an “arms race” to develop the most advanced AI models, data protection laws and data protection authorities have emerged as one of the few mechanisms to curb their insatiable demand for data.

For Twitter, the stakes are high. The upcoming investigations could result in substantial penalties and force the platform to significantly overhaul its data processing practices. While Twitter might consider relying on freely given and informed consent from users as a legal basis, this approach would present its own set of challenges, particularly regarding the data that has already been collected.

More likely, however, is a scenario similar to the one faced by Meta, which ceased AI training with data under GDPR jurisdiction. Although this was hailed as a victory for European privacy rights, it also led to some products, such as Meta AI, becoming unavailable to European consumers. In some circles, there are growing concerns that such restrictions could ultimately impact Europe’s competitiveness in the long term.