Social media platform X (formerly Twitter) is currently facing a wave of legal complaints from nine European countries, accusing the company of breaching data privacy laws under the General Data Protection Regulation (GDPR).
The complaints, filed by the NGO None of Your Business (Noyb), were submitted to regulatory authorities in France, Belgium, Austria, Spain, the Netherlands, and other EU nations on Monday.
The complaints allege that X, owned by Elon Musk, has engaged in illegal data processing practices, specifically focusing on the company’s purported failure to obtain explicit user consent before collecting and utilizing personal data.
According to Noyb, X’s privacy policies lack clarity, leaving users inadequately informed about how their data is managed or shared with third parties. Furthermore, the platform is accused of failing to provide sufficient user control over data management, including options to opt out of certain data processing activities.
The GDPR mandates that companies must secure explicit consent from individuals before processing their personal data and must maintain transparency regarding its use. Companies found in violation of these regulations can face significant penalties, including fines up to four percent of their global annual revenue.
Noyb’s complaints specifically highlight X’s alleged unlawful use of personal data from approximately 60 million EU residents for training artificial intelligence (AI) models. Noyb argues that X’s reliance on the legal basis of “legitimate interest” to justify this data processing is inadequate under GDPR guidelines.
The NGO asserts that X has not provided users with the opportunity to consent or withhold consent for such uses of their data, thus infringing on their GDPR rights.
A notable aspect of the complaints is the one filed in Ireland, which holds particular significance due to Ireland’s role as the European headquarters for numerous U.S.-based tech firms, including X.
The Irish Data Protection Commission (DPC), which oversees data protection practices for such companies, has already initiated legal proceedings against X concerning its AI training data practices.
The DPC has sought an injunction from the Irish High Court to compel X to halt the use of personal data for training purposes. Noyb has criticized the DPC for perceived inadequacies in its enforcement actions against X and its failure to address the broader implications of the case.
X has yet to respond publicly to the legal complaints and ongoing regulatory scrutiny.