How X's "Transparency Plan" saves its ass from the EU

How X's "Transparency Plan" saves its ass from the EU

  • mdo  Mynymbox
  •   News
  •   July 15, 2026

On July 15, 2026, the European Union announced it had accepted an action plan from Elon Musk's X to comply with transparency obligations under the Digital Services Act. The announcement was framed as a triumph of regulatory oversight. But for anyone genuinely concerned about privacy, what the EU actually accepted was a masterclass in corporate BS. One that mistakes transparency for protection and cedes the real power to the very company that violated privacy rules in the first place.

The Context we cannot ignore

Let's be clear about what led to this moment: The EU fined X €120 million last year for privacy violations. This wasn't a tap on the wrist. This was the European Commission concluding that X had systematically failed to meet its legal obligations. Yet rather than imposing concrete restrictions on X's data practices, the EU's response was to accept a plan (written by X itself!) that promises to be "more transparent." This is not regulatory enforcement. This is a negotiated settlement that prioritizes the appearance of compliance over actual privacy protection. The framing in the official statement is telling:

"The approved measures represent an important step in enabling researchers, civil society and the public in general to gain more transparency into X's systems." 

Notice what this language does. It shifts the burden of privacy protection away from X (away from the company that must actually stop collecting and misusing personal data) and places it on researchers, civil society organizations, and the public to scrutinize X's practices. In other words, the EU isn't requiring X to change what it does; it's requiring X to be honest about what it does, and trusting external actors to police the company's behavior.

This is a fundamental misunderstanding of privacy protection.

The Transparency Trap

Here's the uncomfortable truth that privacy advocates need to articulate loudly: transparency is not the same as privacy. You can be entirely transparent about violating someone's privacy. In fact, you can be transparent about practices that are so egregious that calling them merely "transparent violations" becomes absurd.

Consider what "transparency" might look like for X under this action plan. The company could openly document that it:

  • Collects detailed behavioral data on every user interaction
  • Tracks users across the web using pixels and cookies
  • Shares data with advertisers and data brokers
  • Uses algorithmic systems to amplify content in ways it doesn't fully understand
  • Retains user data indefinitely without meaningful user consent

If X simply disclosed all of this in a detailed report that researchers could access, would we have meaningfully addressed privacy violations? From a privacy purist's perspective, no. We would have merely added insult to injury by forcing privacy advocates to publicly acknowledge the full scope of the problem while the company continues unchanged.

The real privacy protection would involve X collecting less data in the first place. It would mean encryption by default, data minimization, meaningful user consent, and deletion rights. It would mean restricting how the company can use personal information, not just explaining how it does so.

The Plan doesn't actually stop X from collecting your Data or limit what it does with it

The EU's action plan has a major blind spot: it doesn't require X to collect less information about you or stop sharing it with advertisers and other companies. Instead, it only promises transparency. Meaning X will explain what it does, but isn't forced to change. You, as a regular user, won't get new rights to access your data, delete it, or control how it's used. Even worse, researchers who might investigate X's practices will likely face restrictions: they can only access data under strict agreements, and X can challenge or suppress their findings if they're unflattering. 

We've seen this before: Facebook restricted researcher access when studies showed mental health harms, and Google keeps its most sensitive algorithmic secrets locked away. X will probably do the same.

The plan also offers no real enforcement teeth. If X fails to implement these transparency measures, there's no mention of concrete penalties or clear timelines for what happens next. The statement vaguely mentions "enhanced supervision," but that's corporate speak for "we'll watch you more closely" and not "we'll punish you if you violate this agreement." Without enforcement mechanisms, this action plan is essentially X's promise to try harder, backed by nothing but hope that regulators will actually follow up.

The Six-Month Timeline: Corporate Stalling

X now has six months to implement this action plan. From a privacy perspective, this timeline should raise immediate red flags. Six months is long enough for a company to:

  1. Design compliance systems that technically meet requirements while minimizing actual change
  2. Develop "transparency" tools that are so complicated or limited in scope that they're effectively useless
  3. Prepare public relations messaging to frame whatever steps they take as meaningful reforms
  4. Identify which commitments are easy to implement (surface-level reporting) versus which require genuine change (data minimization) and quietly deprioritize the latter

Six months is also suspiciously convenient. It's long enough to make regulators feel they've accomplished something, but short enough that the public attention will have moved on to other scandals by the time implementation deadlines approach.

The Audit Smokescreen

The commitment to "external and independent audit" sounds reassuring until you ask the obvious questions: Who selects the auditors? Who pays for them? What exactly will they audit? And most critically: What happens if they find problems?

"External and independent" auditors of tech companies are rarely independent of the tech industry ecosystem. They're often staffed by former employees of the companies they audit. Their findings are frequently softened or mediated by corporate communications teams before public release. And there's rarely any mechanism to force a company to actually remediate problems identified by an audit. An audit is a compliance tool. It's not a guarantee of change.

Why X's Plan isn't actually Privacy

Real privacy protection isn't complicated. It means companies collect only what they need, encrypt user data by default, and let people actually control their own information. It means no sharing data with third parties without explicit consent. It means transparency about algorithms that comes with real accountability. Not just disclosure, but a requirement that those algorithms don't discriminate or harm people. And it means violations come with teeth: actual penalties and forced remediation, not just promises to be better next time.

X's accepted action plan delivers on none of these. The EU didn't regulate X. It basically accepted an excuse dressed up as compliance. The plan treats transparency as if it's the same as actual privacy protection, keeps X in control of its own practices while merely asking the company to explain them, and gives X six months to implement something with no enforcement mechanism to speak of. This isn't a regulatory win. It's a masterclass in corporate negotiation: X violated the rules, paid a fine, and now gets to design its own comeback, choose its own timeline, work with auditors it can influence, and control which researchers get access. The real question isn't whether X will be transparent about what it does. The real question is: why are we still letting X do it at all?