NOYB, a prominent European privacy advocacy group, has submitted nine separate GDPR complaints against X for exploiting the personal data of over 60 million European users to train “Grok,” its massive language model.
Without notifying customers or seeking their consent, X failed to disclose that it was utilizing personal data to train artificial intelligence models.
NOYB – Nothing to Hide – is a European nonprofit privacy advocacy group dedicated to enforcing digital rights and safeguarding information security through the implementation of laws such as the General Data Protection Regulation (GDPR).
The group’s actions have previously led to severe criticism on Meta, numerous complaints, and several fines for various GDPR violations.
Grok educated quietly
NOYB claims that Grok utilised enormous amounts of personal data from approximately 60 million customers within the European Union (EU) and European Economic Area (EEA), without a valid legal basis or individual consent, thereby egregiously contravening General Data Protection Regulation (GDPR) principles.
The apparent opacity in Grok’s coaching tactics was initially detected in late July 2024 by @EastBakedOven, who noticed the disparity while examining recent modifications to X account settings.
The actual permission granted is: “Please allow your posts, interactions, inputs, and outcomes with Grok to be used for coaching and fine-tuning purposes.”
X reveals that this knowledge could be leveraged to refine Grok’s capabilities, potentially even sharing it with its counterpart, xAI, to achieve similar enhancements.
In the final week, Ireland’s Data Protection Commissioner (DPC) voiced satisfaction with the agreement it had reached with X, under which the company committed to suspending the processing of personal data until September.
The official announcement from DPC confirms that an unauthorized coaching session with Grok occurred within a specific timeframe of May 7 to July 31, 2024.
Noting the Data Protection Commissioner’s settlement with X, Max Schrems, chair of None of Your Business, remarked that the company neglected to consider the authorized perspective of the issue, instead focusing on proposals for mitigating measures to be implemented.
After conducting an exhaustive review of the text in question, I have revised it to the following:
NOYB has taken umbrage with DPC’s lackluster motion, deeming it “half-hearted.” As such, NOYB has undertaken a meticulous inventory of violations pertinent to GDPR Articles 5(1) and (2), 6(1), 9(1), 12(1) and (2), 13(1) and (2), 17(1)(c), 18(1)(d), 19, 21(1) and 25, with the aim of sparking a comprehensive investigation at once.
The Non-Obvious Yield-Based (NOYB) initiative is investigating the circumstances surrounding X’s failure to notify customers about Grok’s coaching services, which commenced two months prior to the inquiry. Furthermore, NOYB is seeking insight into what happened to European Union (EU)-related data already integrated into the coaching datasets and exploring methods to effectively distinguish between EU and non-EU information for accurate analysis and compliance purposes.
What puzzles the team is that Twitter continues to fail to require EU-based users to grant consent for utilizing their data to train Grok, a method specifically designed to comply with GDPR regulations regarding personal information usage?
Despite BleepingComputer’s efforts to engage with Twitter regarding NOYB’s motion and allegations, they have received only a “review later” automated response.
