Key Highlights of the News:
Widespread Legal Complaints: The privacy advocacy group NOYB, led by Max Schrems, has filed GDPR complaints in nine European countries, on 12.08.2024, with a call for a full investigation into the practices of AI training at Twitter and in these complaints, it is indicated that they could constitute infringements of a number of articles under the GDPR.
Illegal use of data for the training of AI: Twitter, now rebranded as “X,” stands accused of training its AI technologies like “Grok” on personal data from more than 60 million EU users without obtaining consent—which is a violation of the GDPR.
Mild reaction from Irish DPC: The Irish Data Protection Commission (DPC) initiated legal proceedings against Twitter to halt the illegal processing of user data, but the DPC has however received widespread criticism in that, as it appears to have focused on mitigation measures rather than really delving into the legality and consent question at the heart of the processing.
Introduction:
Recently, Twitter AI activities have been put under close observation due to allegations of illegally using personal data from EU residents for training AI technologies such as “Grok” without their informed consent and this has been highly controversial and has led to many lawsuits, especially considering the earlier scandals over those same practices by other technology giants like Meta. It has now escalated into the Irish Data Protection Commission (DPC) taking court action against Twitter, but their approach is being criticized for not fully enforcing the provisions of the GDPR, whereas meanwhile, privacy advocates from NOYB had to go a step further and send complaints on 12.08.2024, across multiple European countries, questioning the legality and ethics behind Twitter’s practice.
AI Data Breach at Twitter
The backlash against the practices for the training of AI at Twitter had begun when it emerged that personal data from more than 60 million users across the European Union and European Economic Area were used without explicit consent and it has been fed to the AI systems behind Twitter, including the technology called “Grok,” so it would be able to perform better. Clearly, this is in violation of the EU General Data Protection Regulation, under which it is incumbent upon companies to seek explicit, informed consent from users before processing their personal data, not to mention such sensitive purposes of AI training.
Limited-Scope of Legal Action
The Irish Data Protection Commission — tasked with monitoring Twitter’s activities to ensure compliance with GDPR, since the company’s European headquarters are based in Ireland — responded to the revelations by filing a lawsuit against Twitter and this was quite a departure for the DPC, given how it has historically been less strict on major technology firms. Whereas at a recent hearing, it became crystal clear that the prime focus of DPC was mitigation steps to be taken by Twitter rather than the legality of data processing per se. So, that approach is vastly criticized, showing how the DPC fails to give full support to the GDPR, designed for the protection of the rights of users regarding the protection of privacy and control over their personal data
Push for Comprehensive Enforcement
In reaction to what it considers weak enforcement by the DPC, the privacy campaign group NOYB, led by well-known privacy campaigner Max Schrems, went a step further. NOYB filed complaints on 12.08.2024, with data protection authorities in nine EU countries—Austria, Belgium, France, Greece, Ireland, Italy, the Netherlands, Poland, and Spain—over Twitter and these complaints call for an investigation by Twitter into its data practice and put pressure on the DPC to enforce GDPR more decisively. The critical issues that arise from the complaints by NOYB are the lack of consent from users and, more generally, how AI systems treat personal data. The GDPR outlines explicit rights of individuals with regard to their personal data, including the right to access, correct, and delete their data but companies like Twitter, however, argue that it is often difficult and sometimes impossible to exercise these rights once data has been used to train AI systems. There is a huge legal and ethical question of accountability and transparency in AI technologies, more so when they rely on large quantities of personal data.
Striking a Balance Between Innovation and User Rights
Twitter AI cases reflect a more general debate on the balance between the fostering of technological innovation and the protection of the rights of users and while AI certainly holds a lot of potential for applications, the way it has been developed and trained so far gives rise to questions critical to privacy, consent, and control. Art. 82 GDPR provides the appropriate framework with which to deal with such issues; but, the enforcement has so far been patchy at best, particularly vis-à-vis large tech companies with the will and resources to fight against any regulatory decisions, where he complaints further outline the possible processing of special categories of personal data, like data that reveal a person’s ethnicity, political opinions, or religious beliefs, which enjoy even more robust protection under the GDPR. The group thinks that Twitter relying on the “legitimate interest” clause of the GDPR to legitimize its data processing is flawed from the outset. This approach has already been rejected by the European Court of Justice in similar cases involving other tech companies, further underscoring the need for stronger enforcement of laws concerning personal data protection.
Conclusion
The ongoing, raging legal disputes about Twitter’s AI training practices only underline the increasing tensions between technological progress and the protection of human rights in the digital age. If AI technologies are to further develop, so must their regulatory frameworks and as shown by the case of Twitter, existing data protection laws need to be enforced more effectively, and firms that process vast amounts of personal data need to be held liable and the case outcome has the potential to set a significant precedent for the development and future regulation of artificial intelligence, not in Europe, but around the world as well. Since there were multiple European countries involved in the investigation, this case might enhance and bring stronger coordination to the enforcement of the GDPR across the EU in safeguarding fundamental user rights amidst technologies that are constantly changing.
References-
https://noyb.eu/en/twitters-ai-plans-hit-9-more-gdpr-complaints
https://thecyberexpress.com/x-ai-training-gdpr-complaints-across-europe/
https://noyb.eu/en/project/artificial-intelligence/c087-09
https://noyb.eu/sites/default/files/2024-08/IE_Twitter_AI_bk.pdf