Inquiry by Ireland’s Data Protection Commission Into Artificial Intelligence on X

On April 11, 2025, Ireland’s Data Protection Commission (DPC) announced it has begun an inquiry concerning artificial intelligence (AI) practices on the social media platform, X, which was previously known as Twitter. This investigation focuses on how personal data of users in the European Union (EU) and European Economic Area (EEA) is processed when it comes to training generative AI models.

Understanding the Scope of the Inquiry

The DPC revealed that the inquiry aims to examine the processing of publicly accessible posts made by EU/EEA users on X. The Commission is particularly interested in how this data is utilized for training Grok Large Language Models (LLMs), which are a series of AI models developed by xAI. These models are commonly used in AI tools, including chatbots that can generate human-like responses based on user queries.

The inquiry will explore compliance with key elements of the General Data Protection Regulation (GDPR), including the lawfulness and transparency of data processing activities.

Data Involved in the Inquiry

The DPC’s investigation focuses specifically on a subset of data controlled by X Internet Unlimited Company (XIUC). This data includes personal information contained in publicly accessible posts shared by EU/EEA users. The entity XIUC was previously named Twitter International Unlimited Company (TIUC) and underwent this name change on April 1, 2025.

The main objective of the inquiry is to find out if the personal data from users was processed lawfully for the training of the Grok LLMs.

Legal Framework of the Inquiry

The decision to initiate this inquiry falls under Section 110 of the Data Protection Act 2018, as stated by the Commissioners for Data Protection, Dr. Des Hogan and Dale Sunderland. They notified XIUC of this decision earlier this week.

What is GDPR?

The General Data Protection Regulation (GDPR) is a landmark legislation introduced by the European Union that sets clear standards for data privacy and security. It establishes fundamental rights for individuals in the digital realm, outlines the responsibilities of data processors, and provides guidelines for ensuring compliance.

GDPR is known for being one of the strictest privacy laws globally. It was implemented to update and modernize the principles established by the 1995 Data Protection Directive. The regulation was officially adopted in 2016 and came into effect on May 25, 2018.

Key Provisions of GDPR

1. Data Subject Rights: Individuals have the right to access their personal data, rectify inaccuracies, and request deletion of their data.
2. Data Processing Principles: Personal data must be processed lawfully, transparently, and for specific purposes.
3. Accountability: Organizations that process data must demonstrate compliance with GDPR standards.
4. Sanctions and Penalties: Breaches can result in substantial fines, as seen when the DPC fined Meta, the parent company of Facebook, a record €1.2 billion in 2023 for failing to comply with GDPR.

Implications of the Inquiry

The outcomes of the DPC’s inquiry could potentially lead to significant changes in how data is managed on the platform. If any violations of GDPR are found, XIUC might face penalties or be required to implement new measures to ensure user data is protected.

As artificial intelligence continues to evolve and integrate deeper into social media platforms, regulatory bodies like the DPC are working to ensure that user rights are safeguarded. The unfolding developments will be closely monitored by users, advocates, and industry analysts alike as the implications of data privacy regulations become ever more pertinent in the age of advanced technology.

Please follow and like us: