CED Newsletters & Policy Alerts

Policy Alert: EU Intensifies Investigations of X

April 24, 2025

Action: European Union (EU) regulators are intensifying their scrutiny of the social media platform X, pursuing investigations into potential violations of the General Data Protection Regulation (GDPR), which governs data privacy, and separately, the Digital Services Act (DSA), which aims to curb illegal and harmful online activity and limit the spread of disinformation. Recent reports have noted that one DSA-related investigation may soon result in fines in excess of $1 billion.

Key Insights

• The  DSA establishes a variety of requirements for designated platforms with more than 45 million monthly active EU users, including blocking profiling-based ads targeting children under 18, providing mechanisms for users to flag illegal content, taking actions to mitigate systemic risks such as disinformation, election interference, cyber violence, and harmful content. The European Commission may impose fines up to 6% of global annual turnover (a definition of revenue used in EU competition cases) for non-compliance.
• In December 2023, the Commission opened an investigation into whether X violated the DSA in multiple areas, including potential violations related to dark patterns, advertising transparency, and data access for researchers. It released preliminary findings of non-compliance in July 2024. In addition, the Commission also maintains an ongoing investigation into the platform’s dissemination of illegal content and the effectiveness of its measures to combat information manipulation, most recently requesting internal documents related to the platform’s algorithms.
• This is the EU’s first major attempt to enforce the DSA and, according to press reports, regulators are preparing to issue fines and require changes to X’s operations to resolve the 2024 findings. 
• The EU has additional open DSA investigations into the actions of several global firms, including Meta, TikTok, AliExpress, and Temu.  
• A separate investigation recently opened by Ireland’s Data Protection Commission (DPC) is probing whether X used EU users’ personal data to help train its artificial intelligence model “Grok” in violation of the EU’s GDPR. X settled a similar case with the DPC last year. Under GDPR, regulators may impose fines of up to 4% of global annual turnover.
• Earlier this month, Elon Musk, the primary shareholder of both X and the xAI artificial intelligence company, merged the two firms in a deal that values the combined company at over $110 billion. The merger may increase the potential fines related to these investigations.
• These actions have implications for US-EU relations. In February, the President signed a Memorandum calling for an investigation of the EU’s separate digital services taxes while also noting that that “[r]egulations that dictate how American companies interact with consumers in the European Union, like the Digital Markets Act and the Digital Services Act, will face scrutiny from the Administration.”
• Some US policymakers, including the Vice President, have argued that the laws (which apply globally) unfairly disadvantage US tech companies. The Administration will likely raise these concerns in the context of trade and tariff negotiations with the EU, citing the laws and the EU’s actions as non-tariff barriers to trade.