Data Protection Commission welcomes conclusion of proceedings relating to X’s AI tool ‘Grok’

04th September 2024

The DPC is pleased to announce the conclusion of the proceedings it brought before the Irish High Court on 8 August 2024. The matter was back before the Court this morning and the proceedings have been struck-out on the basis of X’s agreement to continue to adhere to the terms of the undertaking (DPC statement issued on 8 August 2024) on a permanent basis.

The application was made in urgent circumstances where the DPC had significant concerns that the processing of personal data contained in the public posts of X’s EU/EEA users for the purpose of training its AI ‘Grok’ gave rise to a risk to the fundamental rights and freedoms of individuals[1]. This was the first time that the DPC, as Lead Supervisory Authority across the EU/EEA, has taken such action, utilising its powers under Section 134 of the Data Protection Act 2018[2].

Commissioner (Chairperson) Des Hogan speaking on today’s conclusion stated: “The DPC welcomes today’s outcome which protects the rights of EU/EEA citizens. This action further demonstrates the DPC’s commitment to taking appropriate action where necessary, in conjunction with its European peer regulators. We are grateful for the Courts consideration of the matter”

More broadly, the DPC is addressing issues arising from the use of personal data in AI models across industry. Today, the DPC is making a request to the European Data Protection Board (the EDPB) for an opinion pursuant to Article 64(2) GDPR[3]. This request will be made in order to trigger discussion and facilitate agreement, at EDPB level, on some of the core issues that arise in the context of processing for the purpose of developing and training an AI model, thereby bringing some much needed clarity into this complex area.  The opinion invites the EDPB to consider, amongst other things, the extent to which personal data is processed at various stages of the training and operation of an AI model, including both first party and third party data and the related question of what particular considerations arise, in relation to the assessment of the legal basis being relied upon by the data controller to ground that processing.

Commissioner Dale Sunderland commented that: “The DPC hopes that the resulting opinion will enable proactive, effective and consistent Europe-wide regulation of this area more broadly. It will also support the handling of a number of complaints that have been lodged with/transmitted to the DPC in relation to a range of different data controllers, for purposes connected with the training and development of various AI models.”


[1] On 8 August 2024, Ms. Justice Reynolds made the following remarks:

“So clearly I am satisfied that there is an urgency to this application in circumstances where the measures which the respondent seems to have accepted were necessary to put in place, these enhanced mitigation measures, weren't put in place for a number of months after the relevant processing commenced and thereafter it wasn't rolled out to all ex users immediately.  So there's an issue in respect of this data that has been collected over that period of time and that is now being used to train, according to the letter, the Grok 1 I think it is.  I think it's being used in respect of training for the initial Grok rollout or indeed training on the Grok.”

[2] Section 134 of the Data Protection Act 2018 allows the Commission, where it considers there is an urgent need to act to protect the rights and freedoms of data subjects, to make an application to the High Court for an order requiring the data controller to suspend, restrict or prohibit the processing of personal data.

[3] Article 64(2) GDPR is the mechanism by which a supervisory authority such as the DPC can request the EDPB to produce an opinion, setting out its views on any matter of general application or producing effects.