Social media platform X (formerly Twitter) faces a series of complaints filed across nine European countries on Monday, accusing the company of illegal use of private data in violation of the General Data Protection Regulation (GDPR). NGO None of Your Business (Noyb) lodged complaints in France, Belgium, Austria, Spain, and the Netherlands, among other countries, raising concerns over X’s data processing practices and transparency.
The complaints center on X’s alleged failure to obtain user consent before collecting and using personal data. They assert that X’s privacy policies are unclear, leaving users without adequate information on how their data is handled or shared with third parties. Additionally, the platform is accused of not providing sufficient control for users to manage their data, including the ability to opt out of certain data processing activities.
The GDPR is a data protection act by the European Union that safeguards individuals’ personal data and ensures their privacy. Under the GDPR, companies must obtain explicit consent from users before processing their personal data and be transparent about its use. Non-compliance with the GDPR can result in fines reaching up to four percent of a company’s global annual revenue.
The complaints filed by NGO None of Your Business (Noyb) argue that X is unlawfully using the personal data of approximately sixty million EU residents to train its AI models without obtaining explicit consent. Noyb contends that X does not have a valid legal basis for this data processing under the GDPR. While X appears to rely on the concept of “legitimate interest” to justify the use of this data, Noyb and their privacy experts argue that this legal basis is insufficient for the type of processing involved in AI training. Noyb asserts that X has not allowed users to give or withhold such consent, thus violating their rights under the regulation.
The complaint filed in Ireland is particularly noteworthy as Ireland serves as the European headquarters for many U.S.-based tech companies, including X. As a result, the Irish Data Protection Commission (DPC) holds jurisdiction over the data protection practice. The DPC has already initiated legal action against X regarding its data processing practices for training AI models. The DPC has sought an injunction from the Irish High Court to compel X to cease using personal data for training purposes. Noyb has also criticized the DPC for what it perceives as inadequate enforcement actions against X and for its inability to address the broader issue.
X has yet to comment on the complaints.