X, formerly Twitter, is facing fresh privacy questions after users noticed a default-enabled setting tied to Grok AI training. The change appears to allow X posts and certain Grok-related activity to be used for training and fine-tuning, with the Irish Data Protection Commission now seeking answers from the platform.
A quiet change with major privacy implications
The setting surfaced on Friday, when users of X spotted language indicating that their data could be included in the training pool for Grok. Grok is the conversational AI, or large language model, developed by Elon Musk-owned X and positioned as a rival to OpenAI’s ChatGPT chatbot.
According to the setting text, users are asked to: “Allow your posts as well as your interactions, inputs, and results with Grok to be used for training and fine-tuning.” Additional smaller print says X may use posts, user interactions, inputs and results with Grok for training and fine-tuning purposes. It also says this data “may be shared with our service provider xAI for these purposes.”
The key concern is not only that the setting exists. It is that the setting appears to be enabled by default. That means users who did not actively choose to participate may still have been placed into a data-sharing arrangement unless they locate and turn off the feature.
The exact scope remains unclear from the wording. The language could be read as covering broad X posts as well as activity connected to Grok. It could also be read more narrowly, as applying mainly to interactions with the chatbot, which is available to subscribers of X premium. That ambiguity is central to the issue because privacy obligations depend heavily on what data is processed, for what purpose, and on what basis.
Why Ireland’s DPC is asking questions
The Irish Data Protection Commission, known as the DPC, told TechCrunch that it was “surprised” by the development. The watchdog said it had been discussing the matter with X for months and had its latest interaction with the company as recently as yesterday.
“The DPC has been engaging with X on this matter for a number of months, with our latest interaction occurring as recently as yesterday,” DPC deputy commissioner, Graham Doyle, told TechCrunch. “Therefore we are surprised by today’s developments. We have followed up with X today and are awaiting a response. We expect further engagement early next week.”
The DPC leads oversight of X’s compliance with the European Union’s General Data Protection Regulation. The GDPR is the bloc’s privacy law, and confirmed breaches can carry penalties of up to 4% of global annual turnover.
That makes the Grok AI data setting more than a product-design dispute. In the EU, a company needs a valid legal basis before it processes people’s personal data. TechCrunch reported that it is not clear what legal basis X is relying on for using European users’ data to train Grok.
The wording leaves users with unanswered questions
For users, the immediate issue is transparency. The setting combines several categories of data in one place: posts, interactions, inputs, and results with Grok. It also refers to training and fine-tuning, two terms that describe using data to improve or adapt an AI system.
That creates several practical questions for anyone using X:
- Whether ordinary posts on X are included in Grok AI training.
- Whether only Grok-related interactions are part of the setting.
- Whether data may be shared with xAI for the stated purposes.
- Whether users were clearly informed before the setting was enabled.
- What legal basis X relies on for processing European users’ data.
The source article notes that anyone concerned about their X information being used for Musk’s chatbot can learn how to turn off the feature. Still, opt-out controls do not answer the regulatory question by themselves. Under EU privacy rules, the legal basis for processing remains a separate issue from whether a user can later disable a setting.
AI training is becoming a privacy flashpoint
The Grok AI data-sharing issue fits a broader pattern described in the source article: large platforms want to repurpose user data to improve artificial intelligence systems, while regulators are asking whether those plans meet privacy requirements.
TechCrunch notes that Meta had a similar plan to repurpose Facebook and Instagram user data for AI training. That plan was paused in Europe just last month after GDPR complaints brought regulatory scrutiny in Ireland and the U.K.
The comparison matters because it shows how quickly AI training can move from a product update to a regulatory problem. User-generated content can be valuable for model development, but the source makes clear that companies operating in the EU still need a lawful route for processing personal data.
For X, the next step is engagement with the DPC. The watchdog said it had followed up with the company and was awaiting a response. It also expected further engagement early next week.
X has not explained its legal basis
TechCrunch said it contacted X to ask what legal basis the company is relying on to process Europeans’ data for Grok training. At the time of writing, the response from the company’s press email was the automated line: “Busy now, please check back later.”
Until X provides more detail, the situation remains unresolved. The setting’s wording indicates that posts and Grok interactions may be used for training and fine-tuning. The DPC says it is surprised and wants answers. Users are left to inspect their privacy settings while regulators examine whether the change fits within the rules that apply in Europe.
The core issue is simple: AI systems need data, but platforms still have to explain what they are taking, why they are taking it, who receives it, and what legal basis supports the processing. The Grok AI setting has put those questions directly in front of X.