Irish Privacy Official: High Court Relief Against X Was ‘Absolutely Necessary’
It was “absolutely necessary” for the Irish Data Protection Commission to seek high court relief blocking X from using EU users’ data to train its AI system, DPC Deputy Commissioner Graham Doyle said Friday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The DPC, acting as the lead EU privacy enforcer, brought the case against the social media company in August 2024, arguing before the Irish High Court that X lacked a legal basis for using personal data to train its AI system Grok without consent. The court struck down the case in September 2024 after X told the DPC it would end the Grok-related data processing. Satisfied with X's response, the DPC dropped the complaint, only to announce another inquiry in April.
“We felt the absolute need to” seek high court relief, Doyle said during an IAPP livestream. “There was an urgency. We believed there was no legal basis for doing what they were doing.”
High Court Judge Leonie Reynolds agreed that the case was urgent, Doyle added.
The DPC relied on Irish Data Protection Act Section 134, which allows the regulator to seek suspension or restriction of data processing if there’s an urgent need to protect data rights and freedoms.
“It’s an important power,” said Doyle. “It’s a strong power that we have.”
However, he said, the DPC would prefer not to seek injunctive relief and instead resolve issues before a company launches a product. "It’s a much better way for us to do business. So, hopefully [using this authority] will be few and far between." However, in the X situation, it was “absolutely necessary to protect fundamental rights.”
Doyle said the Irish regulator has engaged often with tech companies on AI products and services. With the EU AI Act coming into full force in August 2026, Doyle recommended companies involve their data-protection officers in any discussions about AI systems. “They need to be part of the conversations,” he said. “It’s really important that that takes place because they need to know what’s happening from a data protection perspective.”
The DPC on Thursday released its annual report, which showed 28.1 million euros in annual funding for 2024, an increase of 2 million euros from 2023. The commission noted in the report that it finalized 11 investigation decisions that resulted in fines of 652 million euros, along with multiple reprimands and compliance orders.
Among the significant decisions was an October 2024 fine against LinkedIn of 310 million euros for data-protection breaches relating to behavioral analysis and targeted advertising (see 2410240008). In December, the DPC also fined Meta Platforms Ireland 250 million euros for breaches involving user tokens.
Last year, the DPC said, it received more than 11,000 cases from individuals and finalized 10,500. It concluded 145 valid cross-border complaints as the EU/European Economic Area lead supervisory authority. The office received in excess of 7,700 valid breach notifications, up 11% from 2023. Half of them arose from correspondence sent to the wrong recipient, it said.
A public attitudes survey, conducted in May, found nearly three of four people believe that it's quite important or very important for organizations that design, develop or use new technologies, products or services to comply with data-protection rules, even if it means a delay in rollout, the DPC noted.
In response to questions about technology and data protection, 77% of people said they're concerned about how children's personal data is shared and used online. A similar percentage, 76%, were worried about how their personal data is used to create a digital profile of them that can be shared, sold or traded.
Sixty-one percent of respondents worry about the use of AI, the survey found. In general, people 18-34 were less concerned about most aspects of technology and personal data safety, while those 55 and older were "significantly" more worried.
Seventy percent of respondents reported they could trust the DPC to uphold their rights to personal data protection, and half of those who had interacted with the watchdog had a more positive view of it afterward, the survey said.
The results showed "strong levels of awareness and recognition of the importance of data protection, particularly in the context of emerging technologies, products and services," said DPC Commissioner Dale Sunderland. Moreover, they showed public concerns around organizations' use of personal data, an insight that's critical as the office begins a midterm review of its regulatory strategy.