Ireland Opens Probe into X’s Use of Public Posts to Train AI Chatbot Grok

Key Takeaways

• DPC Launches Inquiry: Ireland’s Data Protection Commission has opened a formal inquiry into X Internet Unlimited Company (XIUC) over its use of EU/EEA users’ public posts to train Grok, a generative AI model developed by xAI.
• Focus on GDPR Compliance: The inquiry will assess whether this data processing complied with key GDPR principles, particularly around transparency and the lawful basis for using personal data.
• Grok’s Training Data Under Scrutiny: At issue is whether Grok’s large language models were trained using personal data from X posts without appropriate user consent or legal justification.
• Recent Rebranding Noted: XIUC recently replaced Twitter International Unlimited Company as the EU-facing entity for X users, effective April 1, 2025.
• Investigation Initiated Under Irish Law: The inquiry was launched under Section 110 of the Data Protection Act 2018 by Commissioners Dr. Des Hogan and Dale Sunderland, with formal notice delivered to XIUC this week.

Deep Dive

Ireland’s privacy watchdog has questions, and they’re pointed squarely at Elon Musk’s X. On Thursday, the Irish Data Protection Commission (DPC) announced the launch of a formal inquiry into X Internet Unlimited Company (XIUC), the newly named data controller for X’s EU user base. The central issue? Whether publicly accessible posts by European users have been quietly fed into the company’s generative AI system, Grok, without proper legal basis.

Grok is the AI chatbot from Musk’s xAI venture, and like other large language models, it thrives on massive amounts of training data. But regulators in Europe aren’t so quick to sign off on the idea that “public” means “fair game.” According to the DPC, this inquiry will examine whether X’s harvesting of user posts complies with the General Data Protection Regulation (GDPR), especially in terms of transparency and lawfulness.

“The public nature of a post doesn’t eliminate the responsibility to process personal data lawfully,” the DPC’s announcement implied, though it stopped short of leveling any allegations. The investigation is also expected to delve into whether X clearly communicated to users that their words might be used to sharpen the mind of an AI chatbot.

The timing is significant. Just weeks ago, XIUC formally took over from Twitter International Unlimited Company as the legal entity representing EU users, following the broader rebranding of Twitter into “X.” That shift was quietly noted to the DPC on March 25 and took effect April 1, meaning this inquiry lands squarely in XIUC’s lap.

The decision to initiate the inquiry was taken by the DPC’s top commissioners, Dr. Des Hogan and Dale Sunderland, under Section 110 of Ireland’s Data Protection Act 2018. X was notified earlier this week.

While Musk’s AI ambitions are charging ahead, with Grok now integrated into the X platform and touted as a free-speech-friendly alternative to ChatGPT, Europe’s regulators are making it clear that AI development doesn’t get to sidestep privacy rules. The results of this inquiry could influence how companies across the continent collect and repurpose user data for AI in the future.

For now, all eyes are on Dublin, and Grok may soon have to explain how it learned what it knows.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.