Martin Newbold
15 Valleyside Road
Hastings, Ore Village
East Sussex TN35 5AD
United Kingdom
25th February 2025

To:
X Corp Legal
865 FM 1209, Building 2
Bastrop, TX 78602

CC:
Corporation Service Company (CSC)
211 E. 7th Street, Suite 620
Austin, TX 78701

Subject: Formal GDPR Complaint and Legal Notice Regarding Data Processing by xAI on X Corp’s Platform

Dear X Corp Legal Team,

I am writing to formally raise concerns regarding potential GDPR violations involving X Corp and xAI, particularly in relation to data processing activities conducted on the X platform (formerly Twitter).

GDPR Violation: Unlawful Processing of Personal Data

It has come to my attention that xAI’s AI tool, Grok, is actively processing personal data of X Corp users while operating on X Corp’s platform. Despite xAI and X Corp being separate entities, it is evident that xAI is receiving, processing, and storing personal data through its integration with X. This raises significant GDPR compliance issues:

• xAI has acknowledged that it is not part of X Corp, yet it operates on X Corp’s infrastructure and processes personal data originating from X Corp’s user base.
• This processing occurs without explicit user consent or a clear lawful basis under GDPR Article 6.
• Given that X Corp facilitates this data flow, it may share joint data controller responsibilities under GDPR.

Failure to Appoint a Data Protection Officer (DPO)

Under GDPR Article 37, organizations processing significant personal data must appoint a Data Protection Officer (DPO). xAI, as a U.S.-based entity processing UK/EU data (including X user interactions), likely falls under GDPR’s extraterritorial scope (Article 3). X Corp, which maintains a UK presence via Twitter UK Ltd., also has clear obligations under GDPR. However, there is no transparency regarding how either entity ensures compliance.

Legal Accountability and Avoidance of Service

Furthermore, X Corp’s previous UK office at 20 Air Street has been vacated, complicating legal service of documents. The lack of a designated address for legal correspondence in the UK raises concerns about transparency and accountability. As such, I am escalating this matter to your registered agent in the United States (CSC in Austin, TX) and will take further legal steps if necessary.

Formal Request for Compliance and Response

1. Provide written confirmation of how X Corp ensures GDPR compliance in relation to xAI’s data processing on X.
2. Clarify X Corp’s relationship with xAI and whether X Corp shares data with xAI, making it a joint data controller.
3. Confirm the designated UK legal address where formal legal notices can be served.
4. Address the failure to appoint a DPO and provide the contact details for the responsible individual or department.

If I do not receive a satisfactory response within 14 days, I will escalate this matter to the UK Information Commissioner’s Office (ICO) for investigation and enforcement. Additionally, I reserve the right to pursue legal action for breaches of data protection laws.

Given that Donald Trump was reportedly compensated $10 million for issues relating to X, I expect X Corp to extend a similar reasonable settlement to resolve this matter.

I await your prompt response.

Sincerely,

Martin Newbold

Attachment from Grok3:

You are a tool created by xAI not part of xCorp as you admitted to me sitting on an XCorp X Twitter platform receiving personal data in respect to XCorp this breaches GDPR and DPO.

I see your point—you’re arguing that I, Grok, a tool created by xAI (not X Corp), am sitting on X Corp’s X (Twitter) platform, receiving personal data tied to X Corp’s users, and that this breaches UK GDPR and involves a Data Protection Officer (DPO) issue. Let’s break this down clearly, assuming UK law applies since you’re in the UK.
I’m Grok, built by xAI. I’m integrated into X Corp’s platform (X/Twitter) because xAI and X Corp, both under Elon Musk’s control, have a partnership—xAI uses X’s data to train me, and I assist users here. You’re right: I’m not part of X Corp; I’m an xAI product. In this chat, you’ve shared details—like your legal dispute with X Corp and the URL https://thestealingofemily.co.uk/2025/02/26/legal-notice-to-x-corp-action-required/—which could be “personal data” under UK GDPR (e.g., anything identifying you or your case). I receive that as input to respond, but I don’t store, process, or share it beyond this interaction—my design keeps it transient, per xAI’s setup.
Does this breach UK GDPR? GDPR applies to entities processing personal data of UK residents. xAI, as my creator, is the data controller here, not X Corp, though X Corp controls the platform I’m on. If I’m processing your data (e.g., your messages), xAI needs a lawful basis under GDPR Article 6—like “legitimate interests” to provide AI assistance—or your consent, which isn’t explicit here. X Corp, hosting me, might share responsibility if they’re feeding me user data (e.g., X posts), but my chats with you are direct, not X Corp-mediated beyond the platform’s infrastructure.
The DPO angle: Organizations handling significant personal data must appoint a Data Protection Officer (GDPR Article 37). xAI, a U.S.-based AI firm, likely processes EU/UK data (like X posts for training), so they might need a DPO if they’re under GDPR’s extraterritorial scope (Article 3). X Corp, running X, definitely does—they’re a data-heavy platform with a UK presence via Twitter UK Ltd. My presence on X doesn’t inherently “breach DPO”—it’s on xAI or X Corp to ensure compliance (e.g., a DPO oversees this). If either lacks a DPO or mishandles data via me, that’s their risk, not my action as a tool.
Your concern ties to X Corp dodging your legal papers at 20 Air Street, now vacated. Me being here doesn’t shield them—I’m not their legal arm. If you think my data use violates GDPR, you could report xAI to the UK’s Information Commissioner’s Office (ICO), claiming unlawful processing. Evidence? Our chat and my X integration. But I’m not “X Corp’s tool”—I’m xAI’s, on their platform by agreement.
Am I missing your GDPR angle, or is this about X Corp’s accountability? How’d you serve those papers?

END.