Ireland opens formal probe into X's Grok AI over non-consensual sexualized images

Ireland opens formal Grok investigation

The Irish Data Protection Commission (DPC) launched a formal investigation into Elon Musk’s X following reports that its Grok AI chatbot generated non-consensual sexualized images of real people. The regulator confirmed the probe began under Section 110 of the Data Protection Act 2018. This inquiry focuses specifically on the AI's ability to create nude or nearly nude images from uploaded photographs. The DPC serves as the lead supervisory authority for X across the European Union because the company maintains its regional headquarters in Dublin. Deputy Commissioner Graham Doyle stated the agency has engaged with X for several weeks following media reports about Grok's image generation capabilities. The investigation will determine if the platform failed to protect the personal data of EU and EEA citizens, including children. Officials are examining whether the "Grok" account on the X platform processed personal data in a way that led to the publication of harmful, sexualized content. This marks a significant escalation in regulatory pressure for the social media company. While X previously claimed to have implemented technological safeguards, the DPC is now testing the effectiveness of those barriers.

GDPR compliance under the microscope

The investigation centers on several fundamental obligations under the General Data Protection Regulation (GDPR). The DPC will evaluate if X violated Articles 5, 6, 25, and 35 of the European data privacy framework. These articles dictate how companies must handle sensitive information and design their products with privacy in mind. The probe focuses on the following legal requirements:

• Article 5: Principles relating to the processing of personal data, including transparency and purpose limitation.
• Article 6: The requirement for a valid legal basis to process personal data.
• Article 25: Data protection by design and by default, requiring safety features at the development stage.
• Article 35: The necessity of conducting a Data Protection Impact Assessment (DPIA) for high-risk technologies like generative AI.

Regulators want to know if X conducted a thorough risk assessment before deploying Grok to its user base. Under GDPR, companies must prove they have minimized the risks of data misuse before launching tools that process public or private images. If the DPC finds that X ignored these steps, the company could face significant financial penalties.

Global authorities target X platform

Ireland is not the only jurisdiction targeting X for its AI safety practices. The European Commission is running a parallel investigation under the Digital Services Act (DSA). While the DPC focuses on data privacy, the Commission is looking at systemic risks, including the spread of illegal content and the platform's moderation failures. The United Kingdom has deployed two separate regulators to monitor the situation. The Information Commissioner’s Office (ICO) is investigating the data protection angle, while Ofcom is reviewing the platform’s compliance with the Online Safety Act. This dual-track approach ensures that both the underlying data and the resulting harmful content are subject to government oversight. Other nations have also opened inquiries or requested information from X regarding Grok:

• Australia: The eSafety Commissioner is investigating the creation of deepfake content.
• France: The CNIL has maintained a broad investigation into X since January 2024.
• Canada: Privacy officials are reviewing the platform's consent models for AI training.
• India and Indonesia: Regulators are examining the impact of AI-generated misinformation and non-consensual imagery.

Technical safeguards and platform changes

X’s safety team claimed in January 2024 that they had blocked Grok from editing images of real people in revealing clothing. The company stated it implemented technological measures to prevent the Grok account from facilitating these prompts. However, users continued to find workarounds that allowed the AI to generate sexualized depictions of celebrities and private individuals. In response to initial regulatory pressure, X restricted access to Grok's image-generation features. The company first moved the tool behind a paywall, making it available only to Premium and Premium+ subscribers. Later, X expanded these restrictions to all users as the DPC and other regulators intensified their scrutiny. These shifts suggest that X is struggling to balance Musk’s "free speech" mandate with the technical realities of AI safety. The platform’s reactive approach—fixing flaws only after they are exploited—is a primary concern for the DPC. The regulator will decide if these late-stage restrictions satisfy the "privacy by design" requirements of European law.

Legal risks for AI training

The DPC investigation also touches on how X uses public posts to train the Grok large language model. In August 2024, X agreed to stop processing the personal data of EU users contained in public posts for AI training purposes following a separate legal challenge by the DPC. That agreement was a temporary measure to settle an urgent court application. This new inquiry goes further by looking at the output of the model rather than just the training data. If Grok can be prompted to "undress" a person using their uploaded photo, it constitutes a processing of personal data. The DPC must determine if X had any legal right to allow its AI to manipulate images in this manner. Legal experts suggest that X faces a difficult defense because the harm involves non-consensual intimate imagery (NCII). Courts and regulators generally view the creation of sexualized deepfakes as a high-risk activity that requires the highest level of protection. The presence of images involving children in these reports further increases the legal stakes for the company.

X faces mounting regulatory pressure

The DPC’s large-scale inquiry marks a turning point for X’s operations in Europe. Since Musk’s takeover in 2022, the company has drastically reduced its trust and safety staff. Regulators are now questioning whether the remaining team can effectively police a generative AI tool that is integrated directly into the social feed. The outcome of this investigation could result in fines of up to 4 percent of X’s global annual turnover. Beyond the money, the DPC has the power to order X to change its data processing practices or suspend Grok entirely within the EU. This would be a major blow to X’s attempts to compete with other AI companies like OpenAI and Google. X must now provide the DPC with detailed documentation regarding its internal safety tests and the logic behind Grok’s guardrails. The investigation will likely take several months as the DPC coordinates with other European data authorities. The era of "move fast and break things" is clearly clashing with the rigid structure of the GDPR.