France has formally accused X (formerly Twitter) of illegally harvesting user data in violation of European privacy law. Pavel Durov, founder of Telegram, publicly backed Elon Musk and called the prosecution what he believes it to be: political pressure designed to silence a non-compliant platform ahead of the 2027 French presidential elections. But the deeper story is not just about one company or one regulator. It is about a government that operates one of Europe's most expansive surveillance apparatuses - and is now using privacy law as a weapon against the very platforms it once tried to coerce into cooperation.
What France Actually Charged X With
The investigation, led by France's data protection authority CNIL in coordination with the Paris prosecutor's office, centers on three core allegations. First: unauthorized data extraction. French regulators accuse X of systematically collecting behavioral data - browsing patterns, interaction signals, device identifiers, location data - beyond what users explicitly consented to when creating accounts. Second: unlawful data sharing with advertising brokers outside the EU's regulatory framework, meaning that data collected under European consent rules was routed through third-party data markets that do not meet GDPR adequacy standards. Third: using personal data, including direct messages and posts, to train Grok - X's AI assistant - without informing users that their private communications could become AI training material.
These charges map directly onto specific GDPR provisions. Article 5 establishes core data principles: personal data must be collected for "specified, explicit and legitimate purposes" and cannot be further processed in a manner incompatible with those purposes. Training a commercial AI model on private user messages, without specific user consent to that use, is a textbook violation of Article 5's purpose limitation and data minimization requirements. Article 32 requires platforms to implement "appropriate technical and organisational measures" to ensure data security - a standard France argues X has failed since Elon Musk's 2022 acquisition triggered mass layoffs that eliminated much of the platform's trust and safety infrastructure.
Durov's Counterattack: Privacy Law as a Political Tool
Durov's response was direct. In a Telegram post, he argued that France is selectively weaponizing GDPR against platforms that refuse to cooperate with government censorship requests - while the French state's own intelligence services collect data at a scale that dwarfs anything X is accused of. His argument: France's Direction Generale de la Securite Interieure (DGSI) operates bulk metadata collection programs under the 2015 Intelligence Law, expanded under subsequent anti-terrorism legislation, that allow interception of communications and large-scale data aggregation without individual judicial warrants in many cases. The state apparatus that is now prosecuting X for data collection is itself one of Europe's most aggressive data collectors.
The political timing sharpens the argument. French presidential elections are scheduled for spring 2027. Since Musk's acquisition, X has publicly defied EU regulatory demands, reinstated suspended accounts, refused content removal orders, and mocked European officials. The CNIL investigation opens a pressure point that gives French authorities leverage over a platform that has been openly uncooperative. Whether or not the legal charges are valid, the political context makes Durov's framing difficult to dismiss.
The Structural Hypocrisy of European Digital Policy
Durov's critique points to a contradiction that runs through European digital governance. The governments that built and fund mass surveillance programs - GCHQ in the UK, BND in Germany, DGSI in France - are also the architects and enforcers of GDPR, a privacy framework they explicitly exempt themselves from via national security carve-outs. Intelligence agencies operate outside GDPR's scope entirely. Private companies face billion-euro fines for the same type of data collection that state agencies conduct with minimal oversight and zero transparency.
This two-tier structure is not accidental. France's intelligence surveillance laws have expanded steadily since 2015. The 2021 Pegasus Project investigation revealed that French intelligence had procured NSO Group spyware - tools designed to silently compromise devices and extract data that even encrypted messaging apps cannot protect. None of this triggered GDPR enforcement action. GDPR does not apply when the state is the one collecting.
What the Durov-Musk Alignment Signals
The public alliance between Durov and Musk is notable because their platforms are often positioned as competitors in the secure communications space. Both have clashed with European regulators - Telegram over law enforcement access demands, X over content moderation requirements. Their shared position is that European regulatory action is not neutral enforcement of privacy rights but selective application of rules to coerce platform compliance on political content. Whether that characterization is entirely accurate is debatable. But the structural asymmetry - state surveillance exempt, platform surveillance prosecuted - gives the argument real weight.
While regulators and platforms fight over data rights at the institutional level, the only layer that reliably protects individual users on both sides of this equation is encryption at the source. A VPN routes your traffic through an encrypted tunnel before it reaches any platform subject to government data requests - reducing exposure to both the corporate data collection that regulators are targeting and the state-level interception that regulators exempt themselves from.
