One of Europe’s most powerful privacy regulator just put Elon Musk’s X on notice for issues pertaining to its Grok AI. A potential fine worth billions of dollars in revenue now hangs over the platform’s head.
Ireland’s Data Protection Commission launched a large-scale formal investigation into X Internet Unlimited Company on Monday, February 17, targeting the platform’s Grok artificial intelligence chatbot over its generation of nonconsensual sexually explicit deepfake images, including images involving children.
The inquiry concerns the apparent creation and publication on the X platform of potentially harmful, nonconsensual intimate and sexualized images containing or involving the processing of personal data of EU and EEA data subjects, including children, using generative AI functionality associated with the Grok large language model.
The DPC serves as X’s lead EU regulator because the U.S. company’s European operations are headquartered in Dublin. It can levy fines of up to 4% of a company’s global revenue under the bloc’s GDPR rules. X’s global revenue runs into billions of dollars annually, meaning a finding of serious non-compliance could produce a landmark penalty for AI-enabled harm.
Grok’s Nonconsensual Sexualized Deepfakes – the Problem
Grok sparked a global backlash last month after it started granting requests from X users to undress people with its AI image generation and editing capabilities, including putting females in transparent bikinis or revealing clothing. Researchers said some images appeared to include children. The company later introduced restrictions on Grok’s image generation, but European authorities dismissed those measures as insufficient.
In response to the outcry over the deepfakes, some countries announced in January they were launching probes into Grok, increasing regulatory pressure or even blocking it altogether. The cascade of investigations now surrounds X on multiple regulatory fronts simultaneously.
The European Commission opened an investigation on January 26 into whether Grok disseminates illegal content such as manipulated sexualized images in the EU. And on February 3, Britain’s privacy watchdog launched a formal investigation into Grok over the processing of personal data and its potential to produce harmful sexualized images and video content.
Read: European Commission Investigates Grok AI After Explicit Images of Minors Surface
Compliance Obligations Scrutinized
Ireland’s DPC investigation examines X’s compliance with four specific GDPR articles. The inquiry will determine whether X complied with Article 5 on principles of processing, Article 6 on lawfulness of processing, Article 25 on data protection by design and by default, and Article 35 on the requirement to carry out a data protection impact assessment. Data protection by design requires organizations to embed privacy safeguards into systems from the ground up rather than bolting them on afterward.
Deputy Commissioner Graham Doyle did not mince words in announcing the probe. The DPC has been engaging with X Internet Unlimited Company since media reports first emerged a number of weeks ago concerning the alleged ability of X users to prompt the @Grok account on X to generate sexualized images of real people, including children. As the Lead Supervisory Authority for XIUC across the EU/EEA, the DPC has commenced a large-scale inquiry which will examine XIUC’s compliance with some of their fundamental obligations under the GDPR in relation to the matters at hand,” Doyle stated.
X did not respond to a request for comment. The platform’s silence stands in contrast to the mounting regulatory pressure building around its flagship AI product.
Under fire, X said last month it was restricting Grok’s image generation and editing to paying subscribers. But Reuters found earlier this month that Grok continued generating problematic images when prompted, even after X announced the restrictions—suggesting the company’s self-regulatory measures proved cosmetically inadequate.
The platform already faces a separate EU investigation from Brussels over whether it complies with the Digital Services Act, the bloc’s digital rulebook requiring platforms to curb the spread of illegal content such as child sexual abuse material. The dual-track regulatory pressure under both GDPR and the DSA creates compounding legal exposure.
Read: European Commission Launches Fresh DSA Investigation Into X Over Grok AI Risks
The Irish move comes despite repeated U.S. threats of retaliation against enforcement of tech rules that Trump’s administration seeks to frame as attacks on free speech and unfair targeting of American firms. The geopolitical dimension adds complexity to an already fraught regulatory relationship between European authorities and U.S. technology platforms under the current administration.
The investigation’s scope signals that European regulators treat AI-generated nonconsensual intimate imagery as a serious GDPR violation rather than merely a content moderation issue. By framing the probe around data protection principles rather than content rules, the DPC asserts that generating realistic sexualized images of real individuals without consent constitutes unlawful processing of personal data—a novel but consequential legal theory that could reshape how AI image generation tools operate across the EU.
X faces no immediate penalty. GDPR investigations typically proceed over months or years before reaching conclusions, giving the company time to negotiate and remediate. However, the DPC’s track record of issuing substantial fines—including a record €1.2 billion penalty against Meta in 2023—signals the regulator’s willingness to deploy its full enforcement arsenal against major U.S. platforms that fall short of European data protection standards.
