On July 15, 2026, the European Union announced it had accepted an action plan from Elon Musk's X to comply with transparency obligations under the Digital Services Act. The announcement was framed as a triumph of regulatory oversight. But for anyone genuinely concerned about privacy, what the EU actually accepted was a masterclass in corporate BS. One that mistakes transparency for protection and cedes the real power to the very company that violated privacy rules in the first place.
Let's be clear about what led to this moment: The EU fined X €120 million last year for privacy violations. This wasn't a tap on the wrist. This was the European Commission concluding that X had systematically failed to meet its legal obligations. Yet rather than imposing concrete restrictions on X's data practices, the EU's response was to accept a plan (written by X itself!) that promises to be "more transparent." This is not regulatory enforcement. This is a negotiated settlement that prioritizes the appearance of compliance over actual privacy protection. The framing in the official statement is telling:
"The approved measures represent an important step in enabling researchers, civil society and the public in general to gain more transparency into X's systems."
Notice what this language does. It shifts the burden of privacy protection away from X (away from the company that must actually stop collecting and misusing personal data) and places it on researchers, civil society organizations, and the public to scrutinize X's practices. In other words, the EU isn't requiring X to change what it does; it's requiring X to be honest about what it does, and trusting external actors to police the company's behavior.
This is a fundamental misunderstanding of privacy protection.
Here's the uncomfortable truth that privacy advocates need to articulate loudly: transparency is not the same as privacy. You can be entirely transparent about violating someone's privacy. In fact, you can be transparent about practices that are so egregious that calling them merely "transparent violations" becomes absurd.
Consider what "transparency" might look like for X under this action plan. The company could openly document that it:
If X simply disclosed all of this in a detailed report that researchers could access, would we have meaningfully addressed privacy violations? From a privacy purist's perspective, no. We would have merely added insult to injury by forcing privacy advocates to publicly acknowledge the full scope of the problem while the company continues unchanged.
The real privacy protection would involve X collecting less data in the first place. It would mean encryption by default, data minimization, meaningful user consent, and deletion rights. It would mean restricting how the company can use personal information, not just explaining how it does so.
The EU's action plan has a major blind spot: it doesn't require X to collect less information about you or stop sharing it with advertisers and other companies. Instead, it only promises transparency. Meaning X will explain what it does, but isn't forced to change. You, as a regular user, won't get new rights to access your data, delete it, or control how it's used. Even worse, researchers who might investigate X's practices will likely face restrictions: they can only access data under strict agreements, and X can challenge or suppress their findings if they're unflattering.
We've seen this before: Facebook restricted researcher access when studies showed mental health harms, and Google keeps its most sensitive algorithmic secrets locked away. X will probably do the same.
The plan also offers no real enforcement teeth. If X fails to implement these transparency measures, there's no mention of concrete penalties or clear timelines for what happens next. The statement vaguely mentions "enhanced supervision," but that's corporate speak for "we'll watch you more closely" and not "we'll punish you if you violate this agreement." Without enforcement mechanisms, this action plan is essentially X's promise to try harder, backed by nothing but hope that regulators will actually follow up.
X now has six months to implement this action plan. From a privacy perspective, this timeline should raise immediate red flags. Six months is long enough for a company to:
Six months is also suspiciously convenient. It's long enough to make regulators feel they've accomplished something, but short enough that the public attention will have moved on to other scandals by the time implementation deadlines approach.
The commitment to "external and independent audit" sounds reassuring until you ask the obvious questions: Who selects the auditors? Who pays for them? What exactly will they audit? And most critically: What happens if they find problems?
"External and independent" auditors of tech companies are rarely independent of the tech industry ecosystem. They're often staffed by former employees of the companies they audit. Their findings are frequently softened or mediated by corporate communications teams before public release. And there's rarely any mechanism to force a company to actually remediate problems identified by an audit. An audit is a compliance tool. It's not a guarantee of change.
Real privacy protection isn't complicated. It means companies collect only what they need, encrypt user data by default, and let people actually control their own information. It means no sharing data with third parties without explicit consent. It means transparency about algorithms that comes with real accountability. Not just disclosure, but a requirement that those algorithms don't discriminate or harm people. And it means violations come with teeth: actual penalties and forced remediation, not just promises to be better next time.
X's accepted action plan delivers on none of these. The EU didn't regulate X. It basically accepted an excuse dressed up as compliance. The plan treats transparency as if it's the same as actual privacy protection, keeps X in control of its own practices while merely asking the company to explain them, and gives X six months to implement something with no enforcement mechanism to speak of. This isn't a regulatory win. It's a masterclass in corporate negotiation: X violated the rules, paid a fine, and now gets to design its own comeback, choose its own timeline, work with auditors it can influence, and control which researchers get access. The real question isn't whether X will be transparent about what it does. The real question is: why are we still letting X do it at all?