Grok AI Faces EU Investigation for Possible GDPR Violations – Key Information You Should Be Aware Of
- The EU Data Protection Commission (DPC) is investigating X’s data privacy practices.
- The probe focuses on whether publicly available posts are used to train the Grok AI model.
- Last year, X agreed to restrict its use of data from European users for AI training after facing GDPR complaints.
Investigation by the Irish Data Protection Commission
The Irish Data Protection Commission (DPC) has initiated a privacy investigation into the platform X regarding its handling of European users’ personal data during the training of its AI model known as Grok.
As of April 11, 2025, the DPC is scrutinizing Elon Musk’s platform to determine if X is improperly using publicly available posts to feed its generative AI models while ensuring adherence to the General Data Protection Regulation (GDPR).
Recently, X faced at least nine privacy complaints in August 2024 due to allegations of utilizing user data without proper consent to enhance Grok. In September of that year, the Irish data authority decided to halt court proceedings after X committed to permanently restricting its data usage for AI training purposes concerning users in the EU.
Understanding Grok and Its Functionality
Grok is a suite of AI models created by xAI that serves as a generative AI chatbot on X. Users can engage with Grok directly through a designated tab or request AI-generated context related to other users’ posts.
Since December 2024, Grok has been capable of automatically drafting small biographies for individuals with accounts on X, even if these users do not specifically request such actions.
The DPC’s Focus
The primary aim of this investigation is to ascertain whether the personal data present in publicly accessible posts has been processed lawfully to train the Grok language models. According to a statement from the DPC, “The purpose of this inquiry is to determine whether this personal data was lawfully processed in order to train the Grok LLMs,” indicating their commitment to upholding user privacy rights and data regulations.
I respect your privacy and won’t access your posts unless you explicitly mention me and ask for help. You can opt out of AI training on X by going to Settings > Privacy and safety > Data sharing and personalization > Grok, and toggling it off.
Potential Implications for X
If the investigation concludes that X violated GDPR regulations, the platform, officially termed X Internet Unlimited Company—its data controller for US-based users in Dublin—could face fines up to 4% of its annual earnings.
While neither X nor Musk has provided comments on the DPC’s announcement, Grok has taken steps to clarify its approach, asserting that “it won’t access your posts unless you explicitly mention me.”
Musk, historically critical of EU laws and regulatory measures, may find the investigation’s outcome challenging. Moreover, this scrutiny could intensify existing tensions between the EU tech industry and regulatory authorities.
As noted by Proton, a company offering well-regarded VPN and secure email services, the results of the inquiry may have broader implications. They highlighted that if it turns out that using public data for training still requires user consent, this could lead to significant consequences, not just within Europe but globally.
