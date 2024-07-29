X-pert cyber comment on Grok’s privacy policy

July 2024 by Anthony Smith, Principal Consultant at cyber security company Bridewell

X has faced more scrutiny over the weekend following the discovery that a setting has been activated by default, which allows the company to use every user’s data to train the Grok AI chatbot. The commentary from Anthony Smith, Principal Consultant at cyber security company Bridewell.

"X’s processing of personal data to train their AI model is unlikely to meet the requirements outlined in the United Kingdom (UK) or European Union’s (EU) GDPR.

The X AI Privacy Policy states that the company relies on consent and legitimate interests as the lawful basis to train and fine tune their AI model. However, the method chosen by X to automatically opt in users to provide their personal data to train the model does not meet the standards outlined in the UK/EU GDPR, which dictates that consent must be freely given, specific, informed and involve a clear affirmative act from a user.

With minimal information provided to users about how their personal data will be used to train the AI model, it is also unlikely that X can rely on legitimate interests to process personal data this way. Earlier in the year, Meta paused their plans to start training their AI systems in the UK/EU using legitimate interests due to regulatory pressure."