Ireland now also investigating X over Grok-made sexual images

Source: Bleeping Computer

Irish investigation

Ireland’s Data Protection Commission (DPC), the country’s data protection authority, has opened a formal investigation into X over the use of the platform’s Grok artificial intelligence tool to generate non‑consensual sexual images of real people, including children.

The DPC, which also serves as the lead European Union privacy regulator for X due to the company’s Irish headquarters, said the inquiry will examine whether X Internet Unlimited Company (X’s EU subsidiary) complied with core GDPR obligations, including the principles of lawful processing, data protection by design, and the requirement to conduct data protection impact assessments.

“The DPC has been engaging with XIUC since media reports first emerged a number of weeks ago concerning the alleged ability of X users to prompt the @Grok account on X to generate sexualised images of real people, including children,” said Deputy Commissioner Graham Doyle on Tuesday.
Source

“As the Lead Supervisory Authority for XIUC across the EU/EEA, the DPC has commenced a large‑scale inquiry which will examine XIUC’s compliance with some of their fundamental obligations under the GDPR in relation to the matters at hand.”

International enforcement actions

The Irish investigation joins a growing multinational enforcement effort targeting X’s Grok AI operations:

• United Kingdom – The Information Commissioner’s Office (ICO) launched its own formal investigation on 3 February.
  Read more

• European Commission – Opened proceedings in January to examine whether X properly assessed risks under the Digital Services Act before deploying Grok.
  Read more

• California – Attorney General Rob Bonta announced an investigation into XAI’s Grok over undressed sexual AI content.
  Read more

• UK Online Safety Regulator (Ofcom) – Launched an investigation into X over Grok‑generated sexualised imagery.
  Read more

• France – Prosecutors raided X’s Paris offices as part of a separate criminal probe into whether Grok generated child sexual abuse material and Holocaust denial content. French authorities have also summoned Elon Musk, CEO Linda Yaccarino, and several X employees for interviews in April.
  Read more

Potential penalties

As the lead EU supervisory authority, the DPC’s findings could result in substantial fines enforceable across all 27 EU member states and the three European Economic Area countries (Iceland, Liechtenstein, and Norway).

The ICO, as the UK’s independent data protection regulator, can also impose fines of up to £17.5 million or 4 % of a company’s worldwide annual turnover.