Irish Information Security Forum

DPC launches enquiry into XIUC re Grok AI Training

Ireland's Data Protection Commission (DPC), the national supervisory authority responsible for enforcing data protection law, has formally initiated a statutory inquiry into X Internet Unlimited Company (XIUC). This investigation, commenced under Section 110 of the Irish Data Protection Act 2018, focuses on the processing of personal data derived from publicly accessible posts made by users within the European Union (EU) and European Economic Area (EEA) on the 'X' social media platform.

The core issue under examination is the lawfulness and transparency surrounding the use of this user-generated data for the purpose of training generative Artificial Intelligence (AI) models, specifically the Grok Large Language Models (LLMs) developed by the affiliated entity, xAI.

Stuck for time?
Listen to this Audio Overview

The DPC's inquiry signals significant concerns regarding potential non-compliance with fundamental principles of the General Data Protection Regulation (GDPR). Particular scrutiny is expected on the legal basis relied upon by XIUC for this processing activity under Article 6 of the GDPR, and whether the transparency obligations mandated by Articles 5, 13, and 14 were adequately met. The investigation probes the complex intersection of AI development, which often relies on vast datasets, and the stringent requirements of EU data protection law, particularly concerning data repurposed for secondary uses like model training.

This inquiry holds substantial significance beyond the immediate parties. It directly confronts the argument that personal data made publicly accessible by users is automatically available for any processing purpose, including large-scale scraping for commercial AI development. The outcome could establish critical precedents for the treatment of such data under GDPR. Furthermore, potential enforcement actions could include substantial administrative fines, potentially reaching up to 4% of XIUC's global annual turnover, alongside corrective orders that could significantly impact X's operations and AI strategy in Europe. The investigation also unfolds within a broader context of heightened EU regulatory oversight of major technology platforms, including ongoing actions under the Digital Services Act (DSA) , and follows previous DPC engagement with X concerning the use of EU user data for AI training

purposes.

Introduction: DPC Initiates Formal Inquiry into X Internet Unlimited Company (XIUC)

On April 11, 2025, Ireland's Data Protection Commission publicly announced the commencement of a formal statutory inquiry concerning the data processing activities of X Internet Unlimited Company (XIUC), the entity responsible for the 'X' social media platform's services within the EU/EEA. This move elevates the regulatory scrutiny beyond preliminary assessments, indicating the DPC has identified substantive grounds warranting a formal investigation.

The inquiry has been initiated under the specific powers granted to the DPC by Section 110 of Ireland's Data Protection Act 2018. This legislative provision equips the Commission with the necessary authority to conduct in-depth investigations into potential infringements of the GDPR and relevant national data protection law. The decision to invoke these formal powers was taken by the Commissioners for Data Protection, Dr. Des Hogan and Dale Sunderland, signifying the importance attached to the matter at the highest level of the regulatory body. Formal notification of the inquiry's commencement was provided to XIUC earlier in that same week, ensuring the company was officially apprised of the investigation,

The central purpose articulated by the DPC for this inquiry is to fundamentally determine whether the personal data contained within publicly accessible posts originating from EU/EEA users on the 'X' platform was lawfully processed when used as training data for the Grok LLMs. This framing highlights the core legal questions surrounding the collection and repurposing of user-generated content for AI development under the GDPR framework. The resort to a Section 110 inquiry underscores the DPC's serious consideration of potential non-compliance and provides the Commission with robust investigative tools, including powers to compel information and potentially issue binding enforcement decisions. This formal footing distinguishes the current action from any prior, potentially less formal, engagements or resolutions concerning X's data handling practices.

The timing of this inquiry relative to recent corporate changes within X is noteworthy. XIUC officially notified the DPC on March 25, 2025, of its impending name change from Twitter International Unlimited Company (TIUC), which became effective on April 1, 2025. The DPC's public announcement explicitly references this rebranding , indicating the regulator's awareness and ensuring that the investigation encompasses the relevant data processing activities regardless of the entity's name during specific periods. This close temporal proximity suggests a regulatory vigilance aimed at maintaining accountability throughout corporate restructuring. Furthermore, the investigation follows reports of previous DPC action or court proceedings in the summer and autumn of 2024, where X reportedly agreed to limit or cease using EU user data for AI training. The initiation of a new, formal inquiry suggests these prior measures may have been deemed insufficient or potentially breached, necessitating a more comprehensive investigation into the lawfulness of current practices related to Grok. Additionally, reports indicate that xAI, the developer of Grok, acquired the X platform in March 2025, further integrating the entities involved.

Table 1: Key Dates Timeline

Date	Event
Summer/Sept 2024	Reported DPC action/court case resulting in X agreeing to limit/halt use of EU user data for AI training
Late 2023	European Commission opens formal proceedings against X under the Digital Services Act (DSA)
March 2025	xAI reportedly acquires X platform
March 25, 2025	XIUC notifies DPC of name change from Twitter International Unlimited Company (TIUC)
April 1, 2025	Name change from TIUC to X Internet Unlimited Company (XIUC) becomes effective; XIUC becomes EU/EEA data controller for X platform
Week of April 8, 2025	DPC formally notifies XIUC of the commencement of the Section 110 inquiry
April 11, 2025	DPC publicly announces the commencement of the inquiry into XIUC

Profile: X Internet Unlimited Company and the Grok AI

The subject of the DPC's inquiry is X Internet Unlimited Company (XIUC), an entity registered in Ireland under Company Number 503351. XIUC serves as the designated data controller for users of the 'X' social media platform located within the EU and EEA. This designation means XIUC holds the primary responsibility under GDPR for ensuring that the processing of personal data belonging to these users complies with the regulation. The company maintains its registered address in Dublin, Ireland , establishing the jurisdictional basis for the DPC to act as the Lead Supervisory Authority (LSA) under GDPR's One-Stop-Shop mechanism.

XIUC represents the latest iteration of the corporate entity managing X's European operations. Effective April 1, 2025, the company formally adopted the name X Internet Unlimited Company, succeeding its previous identity as Twitter International Unlimited Company (TIUC). This change was part of the extensive global rebranding effort following the platform's transition from Twitter to X. Historical company registration data indicates previous names included Twintl Company and Twitter International Company. The company's principal business activities are listed under classifications such as "Other Computer Related Activities" (SIC 2003: 726) or "Other Information Technology And Computer Service Activities" (SIC 2007: 62090). While past financial accounts indicate significant turnover , as a private unlimited company, XIUC may not be required to file comprehensive financial statements publicly, potentially limiting visibility into its current financial scale.

The AI model at the center of the inquiry is Grok. Grok is identified as a suite of Large Language Models (LLMs) developed by xAI, an artificial intelligence company associated with Elon Musk. These sophisticated AI models are trained on extensive and diverse datasets to enable advanced language understanding and generation capabilities.³ On the X platform, Grok LLMs power various AI-driven features, most notably a generative AI querying tool or chatbot that allows users to interact with the AI and receive responses or context related to platform content.

Crucially, the DPC's investigation specifically targets the use of personal data contained within publicly accessible posts shared by EU/EEA users on the X platform as a source of training data for these Grok models. This data subset was under the control of XIUC (or its predecessor TIUC) during the relevant periods. The relationship between X (controlled in the EU by XIUC) and xAI (the developer of Grok) involves the sharing of publicly accessible data from the social media platform – including user posts and interactions – with xAI for the purpose of developing and refining the Grok models.

Reports also suggest that xAI acquired the X platform in March 2025, creating an even tighter integration between the social media service and the AI development entity. This operational structure, involving data controlled by XIUC under GDPR being processed by or shared with xAI for the distinct purpose of AI model training, raises fundamental questions under GDPR's purpose limitation principle (Article 5(1)(b)). Users primarily share posts on X for social communication and information dissemination. Repurposing this data for training a commercial AI model like Grok constitutes a form of further processing. The inquiry will inevitably examine whether this secondary purpose is compatible with the original purpose for which the data was collected, or whether XIUC required a distinct and valid legal basis, such as explicit, informed consent, to lawfully process or share this data with xAI for Grok's development. The acquisition of X by xAI may streamline internal operations but does not alter the fundamental GDPR obligations owed by the data controller (XIUC) to its EU/EEA users regarding the processing of their personal data.

The Regulatory Framework: GDPR and AI Training Data

The processing activities under investigation by the DPC fall directly within the scope of the General Data Protection Regulation (GDPR), the cornerstone of EU data protection law. As XIUC processes the personal data of individuals within the EU/EEA through the operation of the X platform, it is legally bound to comply with the full spectrum of GDPR requirements. The regulation establishes a comprehensive framework built on core principles, data subject rights, and controller obligations, enforced by national supervisory authorities like the DPC.

Several key GDPR principles appear central to the DPC's inquiry into XIUC's use of public post data for training Grok:

Lawfulness, Fairness, and Transparency (Article 5(1)(a)): This foundational principle requires that all processing of personal data must have a valid legal basis as defined in Article 6. Furthermore, the processing must be conducted fairly, and data subjects must be provided with clear, transparent information about how their data is being used. The DPC has explicitly stated its inquiry will examine compliance with lawfulness and transparency.
Purpose Limitation (Article 5(1)(b)): Personal data should be collected for specified, explicit, and legitimate purposes. Any subsequent processing for different purposes must be compatible with the original ones, or else require a separate legal basis. Using social media posts (collected for communication) to train a commercial AI model represents a secondary purpose whose compatibility or independent legal justification is under scrutiny.
Data Minimisation (Article 5(1)(c)): Processing should be limited to personal data that is adequate, relevant, and necessary for the stated purpose. The inquiry might implicitly consider whether the wholesale use of personal data within public posts was necessary for training Grok, or if less data-intensive methods could have been employed.=

A critical aspect of the investigation will be the assessment of the lawful basis under Article 6 that XIUC relied upon for processing public post data for AI training. Potential bases include:

Consent (Article 6(1)(a)): This requires a freely given, specific, informed, and unambiguous indication of the data subject's wishes. Obtaining valid consent for using potentially vast archives of historical public posts for a novel purpose like AI training presents significant practical challenges. Moreover, reports suggest users may have been opted into data sharing for AI by default, which generally fails to meet the high standard for GDPR consent.
Legitimate Interests (Article 6(1)(f)): XIUC could potentially argue that it has a legitimate interest (e.g., commercial interest in developing AI features) that is not overridden by the fundamental rights and freedoms of the users. This requires a documented balancing test. While the public nature of the posts might be invoked by XIUC in this assessment, regulators often view large-scale data scraping, especially for commercial purposes impacting potentially sensitive data within posts, as tilting the balance towards user rights. The DPC's focus suggests skepticism about whether this test can be met satisfactorily.

Regardless of the lawful basis claimed, XIUC remains subject to transparency obligations under Articles 13 and 14. These articles mandate providing users with comprehensive information about the processing, including the specific purposes (i.e., training Grok AI), the categories of data processed, the recipients (e.g., xAI), data retention periods, and user rights. Several sources indicate potential deficiencies in XIUC's transparency regarding this specific data use, suggesting users may not have been adequately informed.

The argument surrounding the "publicly accessible" nature of the data is central and legally nuanced. While users choose to make posts public on the X platform, this action under GDPR does not automatically extinguish their rights over the personal data contained within those posts. It also does not automatically grant any third party an unrestricted license to process that data for any purpose. GDPR principles, including the need for a lawful basis and transparency, continue to apply. The DPC's investigation appears poised to challenge the assumption that public accessibility equates to implied consent for large-scale, systematic processing for purposes like commercial AI development, which may go beyond users' reasonable expectations when posting content. The outcome could significantly clarify the boundaries for using publicly available personal data under GDPR, particularly in the context of emerging technologies.

Table 2: Relevant GDPR Articles Potentially Under Scrutiny

Article	Provision	Relevance to XIUC Inquiry
Art. 5(1)(a)	Principles: Lawfulness, Fairness, Transparency	Core focus of the inquiry; examines if processing had a valid legal basis and if users were adequately informed.
Art. 5(1)(b)	Principles: Purpose Limitation	Examines if using posts for AI training is compatible with the original purpose of posting, or required a separate basis.
Art. 5(1)(c)	Principles: Data Minimisation	Potentially relevant regarding the scope of data extracted from posts for training.
Art. 6	Lawfulness of Processing	Central question: Which basis (e.g., consent, legitimate interests) did XIUC rely on, and was it validly established?.
Art. 7	Conditions for Consent	Relevant if XIUC claims consent as the lawful basis; assesses if consent was freely given, specific, informed, and unambiguous.
Art. 13 / Art. 14	Information to be provided to the data subject (Transparency)	Examines if users received clear, comprehensive information about the use of their posts for Grok training, including purpose, recipients (xAI), etc..
Art. 25	Data Protection by Design and by Default	Relevant regarding whether systems were designed with privacy principles in mind (e.g., avoiding default opt-ins for AI training).
Art. 83	General conditions for imposing administrative fines	Defines the framework and potential scale of fines if non-compliance is found.⁵

Scope and Focus of the DPC Inquiry

The DPC has delineated the scope of its Section 110 inquiry with considerable specificity. The primary subject matter under investigation is the processing of personal data that is contained within posts made publicly accessible by users located in the EU/EEA on the 'X' social media platform. This focus narrows the investigation to a specific type of data (public posts) from a defined user group (EU/EEA individuals) on a particular platform (X).

The explicit purpose of the data processing being scrutinized is the training of generative artificial intelligence models. The DPC has further specified that this relates, in particular, to the training of the Grok suite of Large Language Models (LLMs), which are known to be developed by the affiliated entity xAI. This pinpoints the investigation to a specific AI application and its developmental inputs.

Based on the DPC's announcement and subsequent reporting, the inquiry seeks answers to several key questions rooted in GDPR compliance:

Lawfulness: Was there a valid legal basis under Article 6 of the GDPR for XIUC to process personal data from public posts for the purpose of training Grok? This involves assessing whether consent was properly obtained or if the conditions for relying on legitimate interests were met.
Transparency: Were users provided with clear, sufficient, and timely information about the fact that their publicly accessible posts were being used to train Grok AI models, in line with the requirements of GDPR Articles 13 and 14? Concerns about default settings and lack of explicit communication make this a critical area.
Compliance with Core Principles: Did the processing adhere to other fundamental GDPR principles, such as purpose limitation (was AI training compatible with the original posting purpose?) and data minimisation (was only necessary data used?)? The DPC's reference to examining "a range of key provisions of the GDPR" suggests a potentially broad review of compliance beyond just lawfulness and transparency.
The entity legally responsible for the data processing under investigation, and therefore the target of the inquiry, is explicitly identified as X Internet Unlimited Company (XIUC), acting as the data controller for EU/EEA users.³ The DPC's acknowledgement of the recent name change from TIUC confirms that the inquiry's scope covers the relevant processing activities conducted under both corporate identities.³

Significantly, the inquiry appears concentrated on the input stage of the AI development lifecycle – specifically, the collection and use of data for training the Grok models. This differs from potential investigations that might focus on the outputs of AI systems, such as the accuracy or potential biases in Grok's generated responses (an issue raised in relation to other LLMs like ChatGPT ). By targeting the training data practices, the DPC is addressing a foundational element of how many modern LLMs are constructed, probing the legality of leveraging vast amounts of user-generated content scraped from public online spaces. This focus suggests the DPC views the provenance and legal basis for acquiring AI training data as a primary regulatory concern demanding clarification.

Analysis: Key Legal Challenges for XIUC

X Internet Unlimited Company faces several significant legal challenges under the GDPR framework as the DPC inquiry progresses. Successfully navigating these challenges will be critical to avoiding adverse findings and potential enforcement actions.

First and foremost is the challenge of establishing a valid lawful basis under Article 6 for processing personal data from public posts to train Grok. If XIUC relies on legitimate interests (Article 6(1)(f)), it must demonstrate through a documented balancing test that its interests in developing Grok are not overridden by the fundamental rights and freedoms of the users whose data was processed. This is a substantial hurdle, particularly given the scale of data potentially involved and the fact that personal data within social media posts can include opinions, potentially sensitive information, and identifiers.

Arguing that users have a reduced expectation of privacy for public posts may not be sufficient to outweigh their rights when data is systematically scraped and repurposed for a complex, commercial AI application potentially unforeseen by the user at the time of posting. Alternatively, if XIUC were to claim consent (Article 6(1)(a)) as the basis, demonstrating that such consent met the high GDPR standard (freely given, specific, informed, unambiguous) appears highly problematic. Reports indicating users were initially opted-in by default and the general lack of clear communication about this specific use strongly suggest that valid GDPR consent was likely not obtained.

Second, XIUC must demonstrate compliance with transparency requirements (Articles 13/14). This necessitates proving that users were provided with clear, specific, and easily accessible information prior to their data being processed for Grok training. Generic statements buried within lengthy privacy policies are unlikely to be considered adequate by the DPC. XIUC would need to provide evidence of effective communication mechanisms – potentially including clear notices within the user interface, layered information accessible via links, and user-friendly explanations of the AI training purpose and the involvement of xAI. The existence of an opt-out mechanism is relevant but does not absolve the controller from the primary obligation of upfront transparency; its accessibility and effectiveness will also likely be scrutinized.

Third, the principle of purpose limitation (Article 5(1)(b)) poses a significant challenge. The original purpose for users posting content on X is primarily social interaction and communication. Using this data to train a distinct AI product like Grok, developed by an affiliate (xAI), represents a secondary purpose. XIUC must justify why this further processing is compatible with the original purpose, or demonstrate a separate, valid lawful basis for it. European regulators often view the repurposing of data for entirely new, particularly commercial, applications with skepticism unless users were specifically made aware and, where necessary, consented.

Fourth, facilitating data subject rights (Articles 15-22) in the context of AI training data presents practical difficulties. How did XIUC enable users to exercise their rights of access, rectification, erasure, or objection concerning their personal data once it was ingested into the Grok training datasets? Rectifying or erasing specific data points within massive, complex LLM training sets can be technically challenging, yet GDPR requires controllers to facilitate these rights (an issue also noted concerning OpenAI/ChatGPT ).

Finally, the existence of previous commitments reportedly made by X in 2024 to limit or halt the use of EU user data for AI training creates a particularly difficult context for XIUC. If the DPC finds that similar processing activities continued or resumed without adequately addressing the underlying legal issues previously raised, it could be interpreted as a disregard for regulatory concerns or prior agreements. Such a finding could potentially aggravate the assessment of any non-compliance and influence the severity of potential sanctions.

The convergence of potential shortcomings across multiple fundamental GDPR requirements – lawful basis, transparency, purpose limitation, and potentially data subject rights, compounded by the history of prior regulatory engagement – creates significant legal exposure for XIUC. A finding of non-compliance on transparency alone, for instance, could trigger enforcement actions, even if a plausible (though perhaps contestable) argument for a lawful basis like legitimate interests exists. The DPC's decision to launch a formal Section 110 inquiry suggests these combined challenges are viewed as substantial.

Potential Enforcement Actions and Consequences

Should the DPC's inquiry conclude that X Internet Unlimited Company failed to comply with GDPR requirements in its processing of EU/EEA user data for Grok AI training, the company could face a range of significant enforcement actions and consequences.

The most widely discussed potential consequence is the imposition of administrative fines under Article 83 of the GDPR. For infringements of core principles, such as those relating to lawful basis and transparency, the regulation empowers supervisory authorities to levy fines of up to €20 million or 4% of the undertaking's total worldwide annual turnover in the preceding financial year, whichever amount is higher. Given the global scale of the X platform, the potential fine under the 4% turnover threshold could be substantial, aligning with multi-million and even billion-euro fines previously issued by the DPC against other large technology companies.

Beyond financial penalties, the DPC possesses a suite of corrective powers under Article 58(2) of the GDPR, which could have profound operational impacts on XIUC and the deployment of Grok in Europe. These powers include the ability to issue orders requiring the controller to:

Bring processing operations into compliance in a specified manner and within a specified period. This could involve mandating changes to how data is collected, requiring the implementation of valid consent mechanisms, or enhancing transparency notices.
Order the rectification or erasure of personal data ('right to be forgotten'). This could potentially require XIUC/xAI to delete EU user data unlawfully processed for training Grok, a technically complex and potentially costly undertaking.
Impose a temporary or definitive limitation, including a ban, on the processing activities in question. This could mean prohibiting XIUC from using EU user posts for AI training going forward.
Order the suspension of data flows to a recipient in a third country or to an international organisation.

These corrective orders, while less headline-grabbing than large fines, can fundamentally alter business practices and product development roadmaps. An order to cease processing EU user data or delete data already used could significantly hinder the development, refinement, and performance of Grok specifically for the European market, potentially requiring costly retraining using alternative, compliant datasets or limiting the AI's capabilities within the region.

Furthermore, an adverse finding by the DPC would likely result in significant reputational damage for X within the EU and potentially globally. Non-compliance with data protection laws, especially following previous scrutiny on similar issues, can erode user trust, deter advertisers, and attract negative attention from policymakers and civil society groups.

Finally, the inquiry process itself, regardless of the outcome, entails substantial legal costs for XIUC in responding to DPC requests, preparing submissions, and potentially engaging in subsequent litigation or appeals.

While the prospect of large fines captures attention, the potential imposition of corrective orders carries arguably greater long-term strategic weight. Such orders could force fundamental changes to X/xAI's data acquisition and AI development methodologies for the European market, impacting the competitiveness and functionality of the Grok AI within one of the world's major economies.

Wider Implications: Precedent for AI and Social Media Data

The Data Protection Commission's inquiry into XIUC extends far beyond the specific circumstances of X and Grok, carrying potentially significant implications for the broader technology landscape, particularly at the intersection of artificial intelligence, social media, and data protection law.

A key area where this investigation could set a crucial precedent concerns the use of "publicly available" personal data for AI training. For years, a common practice in AI development has involved scraping vast amounts of data from the open web, including social media platforms, often under the assumption that public accessibility implies permission for use. The DPC's focus on the lawfulness and transparency of using public X posts challenges this assumption head-on. A finding that such processing requires a more robust legal basis (like specific consent) or significantly enhanced transparency could compel a fundamental shift in data acquisition strategies across the AI industry. Companies relying on scraped public data may need to re-evaluate their practices to ensure GDPR compliance.

Consequently, the inquiry's outcome could substantially impact AI development methodologies, particularly for entities targeting the EU market. If the DPC adopts a strict interpretation regarding the use of public user-generated content, AI developers might be pushed towards alternative approaches. These could include investing more heavily in obtaining explicit, granular user consent for data usage in AI training, relying more on licensed or proprietary datasets, developing advanced anonymization techniques, or increasing the use of synthetic data to train models. This could potentially slow down development cycles or increase costs but would align practices more closely with GDPR principles. The experience of a Nordic bank halting its AI rollout due to uncertainty over training data provenance illustrates the real-world impact of these concerns.

Regulatory actions undertaken by influential bodies like the DPC, particularly concerning major US technology firms headquartered in Ireland for EU operations, often exert a global influence, sometimes referred to as the 'Brussels effect'. Findings and enforcement decisions in this case could inspire similar investigations or prompt regulatory clarifications in other jurisdictions grappling with AI governance and data privacy, potentially influencing emerging standards in regions like Singapore or Canada.

This GDPR investigation does not occur in a regulatory vacuum. It interacts with other significant EU legislative frameworks governing the digital sphere. X is already subject to formal proceedings under the Digital Services Act (DSA) concerning obligations around risk management, content moderation, and algorithmic transparency.

Furthermore, the EU AI Act is establishing horizontal rules for AI systems placed on the EU market. Findings regarding data governance practices under the GDPR inquiry could potentially inform assessments under the DSA (e.g., relating to transparency or systemic risks) and contribute to the overall understanding of responsible AI development within the EU's comprehensive regulatory ecosystem. This highlights an increasingly integrated approach where data protection, platform regulation, and AI governance are intertwined.

While the DPC has indicated the probe is independent of transatlantic trade tensions , high-profile investigations into major US technology companies inevitably play out against this broader geopolitical backdrop. The outcome could be interpreted within the context of differing regulatory philosophies between the EU and the US regarding technology governance.

Ultimately, this case may establish clearer benchmarks for what constitutes adequate transparency and a valid lawful basis (whether consent or a rigorously assessed legitimate interest) when leveraging user-generated content for the specific purpose of training sophisticated AI models. The DPC's conclusions are likely to ripple outwards, affecting not just XIUC, but the entire ecosystem of AI development reliant on web-scale data, and influencing how social media platforms globally perceive the legal constraints and responsibilities associated with the public content hosted on their services.

Table 3: Comparative DPC/EU Enforcement Actions Context

Case	Subject Matter	Regulator(s)	Status/Outcome (as reported)	Relevance
DPC vs. XIUC (Grok Training Data)	GDPR (Lawfulness, Transparency, AI Training)	DPC (Ireland)	Ongoing Inquiry (Announced April 2025)	Current case; potential precedent for AI data use.
DPC vs. X/Twitter (Previous AI Data Use)	GDPR (Consent/Data Use for AI)	DPC (Ireland)	Reported Agreement / Court Action Halted (Summer/Sept 2024)	Provides direct historical context; suggests recurring issue.
EU Commission vs. X (DSA Compliance)	DSA (Risk Mgt, Content Mod., Transparency)	EU Commission	Formal Proceedings Opened (Late 2023)	Demonstrates broader EU regulatory scrutiny of X beyond GDPR.
DPC vs. Meta (Data Transfers)	GDPR (International Data Transfers)	DPC (Ireland)	€1.2 Billion Fine (2023)	Example of DPC's capacity for major enforcement against large tech firm; highest GDPR fine to date.
DPC vs. Meta (Other Violations)	GDPR (Various, e.g., Transparency, Lawful Basis)	DPC (Ireland)	Multiple Fines Totaling >€2.5 Billion since 2021	Shows consistent DPC enforcement against Meta across various GDPR aspects.
DPC vs. TikTok (Child Data)	GDPR (Processing of Children's Data, Transparency)	DPC (Ireland)	Draft Decision submitted to other EU DPAs (Feb 2025); Previous Fines	Highlights DPC activity on specific GDPR areas like children's data; involves cross-border cooperation.
DPC vs. Microsoft/LinkedIn	GDPR (Various)	DPC (Ireland)	Fines issued (e.g., >€310M for Microsoft mentioned ; LinkedIn fine also noted )	Indicates DPC enforcement extends across multiple major US tech companies with EU HQs in Ireland.

This table illustrates that the current inquiry into XIUC is part of a sustained pattern of regulatory oversight by the DPC and other EU bodies targeting the compliance of large digital platforms with European rules. It underscores the DPC's central role as the LSA for many major US tech companies operating in the EU and its demonstrated willingness to conduct complex investigations and impose significant sanctions.

Conclusion and Outlook

The commencement of a formal statutory inquiry by Ireland's Data Protection Commission into X Internet Unlimited Company marks a significant development in the ongoing effort to align rapidly evolving artificial intelligence technologies with established data protection principles. The investigation's focus on the use of publicly accessible posts from EU/EEA users on the 'X' platform to train the Grok AI models places it at the critical juncture of social media data exploitation, AI development ethics, and GDPR compliance.

XIUC faces substantial legal hurdles, primarily in demonstrating a valid lawful basis under GDPR Article 6 for this specific processing activity and in proving that it met the stringent transparency requirements of Articles 13 and 14. The reliance on either user consent, which appears doubtful given reports of default opt-ins and lack of clarity, or legitimate interests, which requires a challenging balancing test likely scrutinized heavily by the DPC, presents significant difficulties. The context of previous DPC engagement on similar AI data use issues further complicates XIUC's position and potentially raises the stakes.

The potential outcomes of this inquiry range from a finding of no infringement to the imposition of severe sanctions. These could include substantial administrative fines, potentially reaching billions of euros based on global turnover, and corrective orders mandating significant changes to data processing practices. Such orders, including potential requirements to cease processing EU user data for AI training or delete unlawfully processed data, could have a more lasting impact on X/xAI's operational capabilities and AI strategy within the lucrative European market than even a large one-off fine.

Beyond the immediate consequences for XIUC, the DPC's findings are poised to have broader resonance. The inquiry is likely to establish important precedents regarding the permissible use of publicly available personal data for AI training under GDPR, potentially influencing industry standards globally. It underscores the centrality of data protection within the EU's increasingly comprehensive framework for regulating digital platforms and AI systems, complementing initiatives like the Digital Services Act and the AI Act.

The investigation is anticipated to proceed over the coming months.⁶ Its progression and ultimate resolution will be closely monitored by technology companies, legal practitioners, privacy advocates, and regulators worldwide. XIUC's strategic response, level of cooperation with the DPC, and the evidence presented regarding its data processing practices will be crucial factors shaping the final outcome. This case serves as a potent reminder that even data made public by users remains subject to rigorous data protection rules, particularly when processed at scale for novel and potentially intrusive purposes like training powerful AI models.

Compliance Considerations for Businesses Utilizing User-Generated Content or Developing AI

The DPC's inquiry into XIUC offers valuable lessons and prompts critical compliance considerations for any organization involved in processing user-generated content, particularly if sourced from public domains, or engaged in the development of Artificial Intelligence systems:

Rigorously Assess Lawful Basis: Organizations must move beyond assuming that publicly accessible data is 'free' or automatically available for any purpose. Before processing personal data from public sources (like social media, forums, websites) for secondary purposes such as AI model training, a specific, valid lawful basis under GDPR Article 6 must be identified and documented. If relying on legitimate interests, a thorough, documented balancing test assessing the necessity of the processing and its impact on individuals' rights and freedoms is essential. Relying on consent requires meeting the high GDPR standards for validity (freely given, specific, informed, unambiguous).
Prioritize and Enhance Transparency: Clear, concise, specific, and easily accessible information must be provided to individuals before their data is processed for AI training or other secondary purposes. This information should explicitly state the purpose (e.g., "to train our AI customer service chatbot"), the types of data used, any third parties involved (like affiliated AI development entities), and how users can exercise their rights, including opting out. Avoid vague language or burying details in lengthy, complex privacy policies. Consider using layered notices, just-in-time notifications, and dedicated AI ethics or data usage sections on websites.
Adhere to Purpose Specification and Limitation: Clearly define and document the specific purposes for which personal data is collected. Ensure that any further processing for new purposes (like AI development) is either compatible with the original purpose (often difficult to argue for significantly different uses) or is based on a separate, valid lawful basis (e.g., specific consent for AI training). Maintain records of these assessments.
Implement Data Minimisation: Only collect and process the personal data that is strictly necessary for the defined purpose. For AI training, continuously assess whether the scope of data collection can be reduced, or if techniques like robust anonymization or pseudonymization can be effectively applied to minimize risks to individuals, without compromising the model's utility where feasible.
Conduct Vendor and Affiliate Due Diligence: When sharing data with third-party vendors or affiliated companies for AI development or other processing, ensure that robust data processing agreements (DPAs) are in place. Verify that the sharing itself has a lawful basis and that the recipient adheres to GDPR standards. If data is transferred outside the EEA, ensure appropriate transfer mechanisms (e.g., adequacy decisions, Standard Contractual Clauses with supplementary measures) are implemented.
Actively Monitor the Regulatory Landscape: The legal and regulatory environment surrounding AI and data protection is rapidly evolving. Organizations should stay informed about new guidance, enforcement actions (like the DPC's XIUC inquiry), court decisions, and legislative developments (such as the AI Act). Compliance programs should be dynamic and updated proactively to reflect emerging best practices and legal interpretations.

The DPC's investigation into XIUC serves as a significant indicator of regulatory focus. Businesses engaging in similar data practices should view this as an opportunity to proactively review and strengthen their own GDPR compliance posture regarding the use of user-generated content and AI development, rather than waiting for potential regulatory scrutiny. A demonstrable commitment to lawful, fair, and transparent data processing is increasingly crucial for building trust and mitigating legal and reputational risks in the data-driven economy.

If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:

By email:
secretary@iisf.ie

By post:

David Cahill

GTS Security,
Exo Building,
North Wall Quay,
Dublin 1,
D01 W5Y2

Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland

Forum SPONSORS

Invitations for Annual Sponsorship of IISF has now reopened.

(your logo & profile link here)

Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more

More News

CVE System grinds to a near halt
The Common Vulnerabilities and Exposures (CVE) system, a cornerstone of cybersecurity, recently faced a significant threat due to a near lapse in its funding.

IISF April Chapter Meeting Report
Vulnerability Management 2025, Incident response, Managing the unthinkable & Cyber Insurance - Industry insights and Advice

IISF Members / Sponsors

secured by edgescan digital security radar logo