DPC inquiry serves reminder of artificial intelligence GDPR obligations

The DPC recently launched an inquiry into X, formerly known as Twitter, over the processing of personal data from EU/EEA users on the social media platform. This investigation focuses on the use of publicly accessible posts to train generation AI models, specifically the Grok Large Language Models (LLMS) developed by xAI, a company owned by X owner Elon Musk.

The inquiry aims to scrutinise the compliance of X with provisions of the GDPR, particularly concerning the lawfulness and transparency of data processing. The DPC’s investigation will determine whether the personal data used to train Grok was processed legally and if the company adhered to mandatory transparency requirements. 

Isabel Humburg, intellectual property and AI specialist at Pinsent Masons, said: “This investigation highlights the need for robust regulatory frameworks to ensure that AI development is aligned with legal and ethical standards.”

Using personal data to train AI models throws up some challenges from a data protection perspective. For example, it can be difficult to ensure data subject rights are protected. Personal data may be at risk of inadvertently being revealed to third parties in unexpected ways if the AI model does not have the appropriate safeguards in place.

In the summer of 2024, the DPC initiated and swiftly concluded an investigation into X for the alleged unlawful processing of user data to train Grok. As a result, X committed to permanently refrain from processing EU users’ data for training Grok and deleted all previously processed data used for this purpose. Despite these measures, the current inquiry seeks to ensure ongoing compliance and address any remaining issues.

Nicola Barden, data, privacy and cyber expert at Pinsent Masons, said: “The announcement of this inquiry comes as no surprise given the DPC’s urgent application to the Irish High Court last year which resulted in X’s agreement to continue to adhere to an undertaking to suspend its processing of the personal data from public posts for training Grok. This comes on the foot of the DPC, not unexpectedly, increasing its focus on AI matters in the last year.”

“However, this inquiry appears to be far reaching in terms of the scope of the GDPR provisions it is focusing on,” said Barden. “The particular focus on lawfulness and transparency means that it will be considering if X had a lawful basis to process the personal data in this context, and if the users were adequately informed that their personal data would be used to train the AI models. Perhaps most concerning is that when using information from public posts, special category personal data could be used to train the AI model if it is not adequately filtered out. The GDPR requires that special category data meets a condition laid down in Article 9 for processing to be permitted. To use special category data to train an AI model, it could be difficult for the controller to meet an Article 9 condition.”

The DPC’s inquiry is part of a broader effort to ensure that AI technologies are developed and deployed in compliance with data protection regulations.

Karen Gallagher, intellectual property and AI expert at Pinsent Masons, said: “The investigation highlights once again the central role played by the Irish DPC in regulating the EU data protection compliance of international tech companies, including where there is an interplay between data and AI.”

In its programme for government issued earlier this year, the Irish government earmarked AI as one of its main priorities. Home to many leading international tech companies as well as a thriving tech start up community, with the support of the government, Ireland is well placed to become a centre for AI innovation. Where there is innovation, there is also regulation. The Irish DPC has extensive experience in regulating the activities of tech companies, therefore we are likely to see the DPC and other Irish regulators such as Coimisiún na Meán play a leading role in EU AI Act regulation as the new regime comes into effect.

Humburg said: “The investigation will also be closely monitored in light of the upcoming EU AI Act implementation deadline of 2 August 2025 regarding obligations covering General Purpose AI (GPAI) models, such as the Grok LLM. The EU AI Act mandates detailed documentation and transparency requirements for these models. From 2 August, providers of GPAI models must have in place policies to comply with EU law on copyright and related rights and must publicly disclose a sufficiently detailed summary of the content used for training the model. The outcome of this inquiry could influence future regulatory approaches to AI and data protection, and it will be interesting to see what effect the EU AI Act will have on investigations by data protection authorities when AI systems and GPAI models are involved.”