X’s Chilling Defense in Our Twitter Data Leak Case: Why We Fight for EU Consumer Rights

SOMI has filed a landmark class action in Berlin against X (formerly Twitter) over alleged GDPR violations, including a massive Twitter data leak. Instead of addressing the data protection and consumer rights issues, X’s official statement of defense (submitted in September 2025) tries everything to dismiss the case and deny responsibility. The company’s lawyers argue that SOMI has no legal standing, that our financing model is illegitimate, that no GDPR rules were broken (and thus no user deserves any data protection compensation), and even that German courts have no authority to hear the case. Below, we break down these key arguments from X – and show why they’re as dangerous as they are wrong, reinforcing our resolve to fight for consumer rights in the EU.

calendar Dec Thu 18 2025

X Claims SOMI Has No Right to Sue

From the outset, X attacks our very right to bring this class action. Their defense claims that SOMI lacks the legal standing to sue on consumers’ behalf, painting us as a purely commercial enterprise with no genuine public interest. In their words, SOMI is part of a profit-driven network and even a “commercially structured instrument for profit maximization” serving its founder’s enrichment[1]They argue that we don’t meet the EU criteria for an independent consumer organization, alleging that decision-making is all in one person’s hands and accusing us of operating for “his own economic interests[2].

Our Rebuttal. This is a blatant attempt to discredit SOMI’s mission and silence consumers. SOMI is a registered non-profit foundation fighting for users’ rights; we have no shareholders and no hidden profit agenda. Yes, we seek damages – but only to compensate European consumers and ensure X is held accountable for GDPR violations. By questioning our motives, X hopes to distract from their own wrongdoing. If companies like X can bar consumer lawsuits by smearing public-interest groups as “commercial,” it sets a dangerous precedent. We cannot let that happen. We’re proud to meet the legal standards for collective actions, as laid down in the Representative Actions Directive (RAD). The Dutch and German courts have declared SOMI admissible, and we’ll prove in court that our only “interest” is justice for consumers[3].

X Attacks SOMI’s Funding as a Profit Scheme.

Unable to refute the merits of our claims, X’s defense also targets our financing model. They highlight that SOMI raises money through innovative means – notably participation certificates that let supporters invest in our legal actions – and twist this into a sinister narrative. According to X, our funding model “promises returns of up to 600 percent” to backers and thus “degrades consumer rights […] to a financial product”[4]. The defense argues that we are essentially profiting off lawsuits: saying that any compensation won for consumers would just line investors’ pockets, not help users[5]. X even claims this model violates EU financial laws (an “inadmissible third-party financing” of litigation) and boasts that it has reported SOMI to regulators over it[6]. In their view, SOMI is misusing the consumer protection banner to run a for-profit scheme – and they urge the court to throw out our case on this basis.

Our Rebuttal. Let’s be clear: SOMI’s financing through participation certificates is a tool for empowering consumers, not exploiting them. We developed this model precisely because traditional funding sources are limited when taking on Big Tech giants. We chose a transparent, crowdsourced funding approach – one that shares potential rewards with supporters who believe in our cause. X’s lawyers call this a “financial product” as if that’s a dirty word[7]. But what it really is, is an equalizer. It levels the playing field, allowing everyday Europeans to collectively support a class action against X and other tech firms that would otherwise outspend any single plaintiff. All our activities are conducted openly and in line with the law (we strongly contest X’s accusations of regulatory violations). The irony is rich: X, a multi-billion dollar corporation, tries to cast our nonprofit’s grassroots funding as greedy, when in fact we’re fighting against corporate greed. If the court were to buy X’s argument, it would discourage new and innovative ways for consumers to band together and hold powerful companies to account – effectively telling consumers to sit down and be quiet unless they have deep pockets or taxpayer funding. We won’t let X stigmatize a model that enables collective justice. Our commitment is that any funds we raise serve one goal: securing redress and compensation for consumers harmed by X’s actions.

X Denies Any GDPR Violations in the Twitter Data Leak

Perhaps the most chilling part of X’s defense is their complete denial that they did anything wrong in the first place. They flatly insist that no GDPR rules were breached – specifically dismissing claims that X violated Article 9 GDPR (which governs the processing of special categories of personal data) or Article 22 GDPR (which limits automated decision-making and profiling)[8]. According to X, the Twitter data leak that sparked this case wasn’t a real problem at all: they argue there was “no loss of control” over personal data for users, and that our concerns about the consequences of the leak are merely “subjective fears” with no real harm[9]. X’s filing downplays the incident as a “so-called API bug”, implying that even if hackers obtained user data, it hasn’t hurt anyone – so in their view, affected individuals don’t deserve any remedy or data protection compensation. This brazen stance essentially amounts to “No harm, no foul” – X claims that even if something happened, it doesn’t count as a GDPR violation and they should owe nothing.

Our Rebuttal. We reject this shameless denial. The facts speak for themselves: in 2021–2022, a bug in Twitter’s API was exploited to harvest the data of millions of users, linking email addresses and phone numbers to Twitter accounts on a massive scale[10]. Independent researchers estimate that roughly 200 million accounts were affected, exposing countless people to spam, phishing, and identity theft risks[11]. This Twitter data leak is very real, and its impact is real – even if X refuses to acknowledge it. Under EU law, losing control of one’s personal information is a harm in itself[12]. Privacy is a fundamental right, and the GDPR recognizes that non-material damage (like distress, reputational harm, or risk of misuse of data) is still valid damage. X’s argument that users suffer only “subjective fears”[13] is insulting to everyone who has had their private info passed around online without consent. We know many users feel violated and exposed. By denying any wrongdoing, X is effectively saying that it can leak your data and face zero consequences – a stance we find unacceptable. SOMI’s message in this lawsuit is that X did violate GDPR and must answer for it. Companies don’t get to decide that your data rights aren’t worth upholding. We will prove that X failed its legal obligations to protect user data, and we will fight for each user’s right to data protection compensation for that failure.

X Claims German Courts Can’t Hold It Accountable

In a final bid to sidestep responsibility, X argues that the case shouldn’t even be heard in Germany. Their statement of defense challenges the jurisdiction of the Berlin court, claiming that because X is based in Ireland and SOMI is based in the Netherlands, German courts “do not have international jurisdiction” over the dispute[14]. X asserts that we should have filed in Ireland (where its European headquarters is located), and therefore the Berlin court must dismiss the lawsuit on procedural grounds. In plain terms, X is trying to get off the hook by saying “Wrong court, case closed”. This kind of argument is a classic tactic large corporations use to avoid scrutiny – attempting to move lawsuits to forums they consider more favorable (or at least farther away from the affected users).

Our Rebuttal. X’s jurisdictional dodge shows exactly why EU consumer protection needs to be bold and cross-border. We chose Berlin for this collective action because Germany has new legislation enabling consumers across Europe to join forces in such cases. X’s services and the data leak affected users EU-wide, including many in Germany – it is entirely appropriate for a German court to hear the case. By insisting everything must happen in Ireland, X hopes to exploit the fact that its home jurisdiction has historically been slow and lenient in enforcing privacy laws. For everyday users, being forced to pursue legal action in a foreign country (in a language and legal system not their own) is an obvious barrier to justice. If X’s view prevailed, any big tech company could escape accountability by corralling all lawsuits to its home base, no matter where the harm occurred. That would undermine the very concept of European consumer rights, which aim to provide equal protection no matter where you live in the EU. SOMI has been designated as a Cross-border Qualified Entity, allowing us to bring cross-border representative actions across EU Member states and we firmly believe the Berlin court does have authority here, and will continue to make the case that justice should be accessible to consumers in their own country[15]. X’s attempt to delay or derail the process on a technicality speaks volumes about its unwillingness to answer for its actions. We will not let jurisdictional games trample the rights of the people we represent.

The Chilling Implications for Consumer Rights

X’s defense isn’t just an attack on SOMI – it’s an attack on consumer rights in Europe. If a company as powerful as X succeeds with these arguments, the precedent would be chilling. Consider what they’re really saying: that no consumer advocacy group can challenge them unless it’s a perfectly disinterested, volunteer-run outfit with no modern funding streams; that even if your personal data is compromised, you shouldn’t be alarmed or expect compensation; and that big tech firms can dictate where they can be sued. This vision should alarm every user and consumer in the EU. It effectively raises the barrier for holding corporations accountable to an impossible high bar. It would scare off collective actions by branding them “commercial enterprises.” It would allow companies to hide behind narrow definitions of harm – glossing over blatant privacy breaches – and evade payouts by claiming “prove you suffered, or you get nothing.” And it would let multinational giants forum-shop their way out of trouble. In short, it hands Big Tech a playbook to avoid justice.

We must not let that happen. This case is about more than one data leak or one organization – it’s about the future of digital rights and corporate accountability. SOMI was founded to make sure that ordinary people can band together to enforce their rights under laws like the GDPR. If X’s strategy prevails, it would send a signal to every tech behemoth that they can ignore consumer rights with impunity, so long as they outlast and outmaneuver the people trying to stand up to them. We’re determined to stop that outcome. By pushing back against X’s arguments, we aim to strengthen the legal tools for consumers, not see them whittled away. Privacy, transparency, fairness – these principles are on trial here too. And we refuse to let them be eroded by a self-serving corporate defense.

Call to Action: Share Your Story and Join the Fight

This is a pivotal moment for holding X (formerly Twitter) accountable – and we can’t do it alone. We call on users across Europe to stand with us. Have you had a bad experience with X’s platform, such as your data being misused or your report of a privacy breach ignored? Are you a current or former X employee with insider knowledge or documents that contradict the rosy picture X paints in its defense? We want to hear from you. Whistleblowers and affected users are crucial to exposing the truth behind X’s claims. Contact SOMI (you can reach out confidentially via our website or email: welcome@somi.nl) to share your story or evidence. As a token of our gratitude – and to further empower those who help fight for accountability – SOMI is offering between €1,000 and €10,000 in participation certificates to individuals whose contributions significantly strengthen the case. Your information could be the game-changer that helps us counter X’s narrative and win justice for millions.

At the same time, we invite all X (Twitter) users to join our class action if you haven’t already. This lawsuit is open to users from Germany, but we also have actions going against X in Belgium and in The Netherlands – a truly pan-European effort to assert your rights. Joining the claim is simple and available via our website, for the price of EUR 7,50 and it ensures you are counted among those seeking compensation and change. Alternatively, consumers can also register for free on the website of the Bundesamt für Justiz (Federal Office of Justice). By joining, you lend your voice and weight to this collective demand for fairness. Every additional claimant shows X and the court that users refuse to be silent when their rights are at stake.

Finally, we encourage you to explore SOMI’s wider work. Our fight with X is just one front in a larger battle for consumer rights and data protection. From holding social media companies to the Digital Services Act to advocating for stronger privacy safeguards, SOMI is active on multiple fronts to make the digital world fairer for consumers. Learn more about our campaigns[16] and consider getting involved – whether it’s our action against TikTok’s data practices or other initiatives, we are building a movement for accountability in Big Tech.

Your support matters. X’s defense might be full of legal maneuvers and bold denials, but with your help – your stories, your participation, your belief in the cause – we can cut through all that and prevail. This is about standing up to a tech giant and saying: our data, our rights, our rules. Let’s prove that in Europe, no company is above the law. Join us, share your experience, and together, let’s hold X to account and show that consumer rights in the EU are here to stay.

Together, we’ll make sure X hears us – and that justice is served.

By Pierre Peccolo

[1] X’s Statement of Defense (Berlin class action), 18 Sept 2025 – Key arguments on jurisdiction, financing, standing and denial of GDPR violations.

[2] [3] [4] [5] [6] [7] [8] [9] Ibidem.

[10] Twitter Data Leak: What the Exposure of 200 Million User Emails Means for You | WIRED https://www.wired.com/story/twitter-leak-200-million-user-email-addresses/

[11] Ibidem.

[12] Recital 85 GDPR. https://gdpr-text.com/it/read/recital-85/

[13] X’s Statement of Defense (Berlin class action), 18 Sept 2025.

[14] Ibidem.

[15] Cross-border Qualified Entities | EC-REACT. (n.d.). https://representative-actions-collaboration.ec.europa.eu/cross-border-qualified-entities

[16] SOMI https://somi.nl


You might also like:

SOMI’s statement regarding the AP’s € 750,000 fine to TikTok
calendar 2021-08-10 05:58:17
The financial sector in the Netherlands is too powerful
calendar 2020-10-20 10:36:00
Is Facebook losing control?
calendar 2022-03-14 13:08:50