Ireland's Data Protection Commission (DPC) announced on Friday, April 11 the commencement of an inquiry relating to artificial intelligence on the social media platform X, formerly Twitter.
The DPC said it will be looking into the processing of personal data in EU/EEA users' publicly accessible posts on X for the purposes of training generative artificial intelligence models, in particular the Grok Large Language Models (LLMs).
Grok is the name of a group of AI models developed by xAI. These LLMs are used, among other things, to power a generative AI querying tool/Chabot, which is available on the X platform.
Like other modern LLMs, the Grok LLMs have been developed and trained on a wide variety of data.
The inquiry, the DPC said on Friday, will examine compliance with a range of key provisions of the General Data Protection Regulation (GDPR), including with regard to the lawfulness and transparency of the processing.
🔔 Latest News: Irish Data Protection Commission announces the commencement of an inquiry into X Internet Unlimited Company.
Press Release 📰 https://t.co/N3vMUb7qSY pic.twitter.com/H9gmV7Zbps
— Data Protection Commission Ireland (@DPCIreland) April 11, 2025
The DPC said its inquiry considers a range of issues concerning the use of a subset of this data which was controlled by X Internet Unlimited Company (XIUC), namely personal data comprised in publicly accessible posts posted on X by EU/EEA users.
(XIUC, the name of the Irish entity and Data Controller for EU users of X, was formerly Twitter International Unlimited Company (TIUC) - its name change was effective from April 1.)
The purpose of this inquiry, the DPC said, is to determine whether this personal data was lawfully processed in order to train the Grok LLMs.
The decision to conduct the inquiry under Section 110 of the Data Protection Act 2018, taken by the Commissioners for Data Protection, Dr. Des Hogan and Dale Sunderland, was notified to XIUC this week.
What is GDPR?
The European Union's General Data Protection Regulation (GDPR) defines: individuals’ fundamental rights in the digital age; the obligations of those processing data; methods for ensuring compliance; sanctions for those in breach of the rules.
GDPR is described as "the strongest privacy and security law in the world."
This regulation updated and modernized the principles of the 1995 data protection directive. It was adopted in 2016 and entered into application on May 25, 2018.
In 2023, the DPC handed Meta, parent company of Facebook, a record €1.2 billion fine for its breach of the GDPR.
Comments