The DPC is pleased to announce the conclusion of the proceedings it brought before the Irish High Court on 8 August 2024. The matter was back before the Court this morning and the proceedings have been struck-out on the basis of X’s agreement to continue to adhere to the terms of the undertaking (DPC Statement issued 08 Aug 24) on a permanent basis.
The application was made in urgent circumstances where the DPC had significant concerns that the processing of personal data contained in the public posts of X’s EU/EEA users for the purpose of training its AI ‘Grok’ gave rise to a risk to the fundamental rights and freedoms of individuals. This was the first time that the DPC, as Lead Supervisory Authority across the EU/EEA, has taken such action, utilising its powers under Section 134 of the Data Protection Act 2018.
Commissioner (Chairperson) Des Hogan speaking on today’s conclusion stated: “The DPC welcomes today’s outcome which protects the rights of EU/EEA citizens. This action further demonstrates the DPC’s commitment to taking appropriate action where necessary, in conjunction with its European peer regulators. We are grateful for the Court’s consideration of the matter”.
More broadly, the DPC is addressing issues arising from the use of personal data in AI models across industry. Today, the DPC is making a request to the European Data Protection Board (“the EDPB”) for an opinion pursuant to Article 64(2) GDPR. This request will be made in order to trigger discussion and facilitate agreement, at EDPB level, on some of the core issues that arise in the context of processing for the purpose of developing and training an AI model, thereby bringing some much needed clarity into this complex area. The opinion invites the EDPB to consider, amongst other things, the extent to which personal data is processed at various stages of the training and operation of an AI model, including both first party and third party data and the related question of what particular considerations arise, in relation to the assessment of the legal basis being relied upon by the data controller to ground that processing.
Commissioner Dale Sunderland commented that: “The DPC hopes that the resulting opinion will enable proactive, effective and consistent Europe-wide regulation of this area more broadly. It will also support the handling of a number of complaints that have been lodged with/transmitted to the DPC in relation to a range of different data controllers, for purposes connected with the training and development of various AI models.”