By 
The Irish Data Protection Commission (DPC) has launched a formal investigation into X (formerly Twitter) over potential violations of the EU General Data Protection Regulation (GDPR). The probe centers on the platform’s alleged use of personal data from European users to train its AI system, Grok, without securing proper legal consent—a move that raises serious concerns around data privacy, compliance management, and the governance of generative AI.
As the lead data privacy regulator for X—given its European headquarters in Ireland—the DPC’s inquiry will determine whether the platform harvested data from publicly available posts across the EU and European Economic Area (EEA) for AI model development, possibly in breach of GDPR’s strict legal requirements for transparency, consent, and data protection.
Under GDPR provisions, the Irish watchdog has the authority to impose financial penalties of up to 4% of a company’s global annual revenue. X could face steep consequences if found non-compliant, marking a significant moment for the regulatory enforcement of AI-related data practices across Europe.
This latest investigation follows a previous legal standoff in which the DPC sought to block X from processing user data for AI training. That case was dropped only after X agreed to halt the use of EU user data for AI purposes unless explicit opt-out mechanisms were in place, highlighting the growing emphasis on compliance automation, regulatory monitoring, and user-centric privacy controls in AI development.
X now joins the ranks of other U.S. tech giants—including Meta, TikTok, and LinkedIn—who have faced extensive scrutiny and regulatory compliance audits from the Irish DPC. Meta alone has been fined nearly €3 billion under GDPR enforcement actions, underscoring the heightened regulatory environment for cross-border tech operations.
While X has not been penalized since a €450,000 fine in 2020 for failing to promptly disclose a data breach, this investigation could signal a renewed push by regulators to enforce regulatory requirements governing AI data governance. With AI technologies rapidly evolving, regulators are keen to ensure that compliance risk assessments and internal controls are aligned with legal standards.
The case also feeds into broader geopolitical debates around digital regulation. X’s owner, Elon Musk, has previously criticized EU oversight mechanisms, characterizing them as overly restrictive. Meanwhile, former U.S. President Donald Trump and his allies have accused the EU of using fines as a form of regulatory taxation on American firms—adding a layer of political complexity to what is fundamentally a compliance and data ethics issue.
As jurisdictions worldwide grapple with the balance between innovation and regulatory risk management, this investigation underscores the importance of establishing RegTech solutions capable of navigating multi-jurisdictional compliance landscapes, especially in areas involving artificial intelligence, privacy rights, and regulatory change management.
Comments