Dublin, Ireland – Ireland’s Data Protection Commission (DPC) has launched a formal, large-scale inquiry into X, formerly known as Twitter, over concerns that its artificial intelligence chatbot, Grok, is being used to generate non-consensual sexual images of individuals, including children. The investigation centers on whether X has violated the General Data Protection Regulation (GDPR) through the processing of personal data in the creation and dissemination of these images.
The DPC, which serves as the lead privacy regulator for X within the European Union due to the company’s Irish headquarters, announced the inquiry on Tuesday. The probe will specifically examine X Internet Unlimited Company’s (XIUC) compliance with core GDPR principles, including lawful data processing, data protection by design, and the requirement for data protection impact assessments. This action underscores growing international scrutiny of X’s content moderation practices and the potential harms stemming from its AI technologies.
“The DPC has been engaging with XIUC since media reports first emerged a number of weeks ago concerning the alleged ability of X users to prompt the @Grok account on X to generate sexualised images of real people, including children,” stated DPC Deputy Commissioner Graham Doyle. “As the Lead Supervisory Authority for XIUC across the EU/EEA, the DPC has commenced a large-scale inquiry which will examine XIUC’s compliance with some of their fundamental obligations under the GDPR in relation to the matters at hand.”
This investigation is part of a broader, multinational effort to hold X accountable for the alleged misuse of Grok. The UK’s Information Commissioner’s Office (ICO) initiated its own formal investigation on February 3rd, while the European Commission began proceedings in January to assess whether X adequately evaluated the risks associated with deploying Grok under the Digital Services Act (DSA).
Growing International Pressure on X
Beyond Europe, legal authorities are also scrutinizing X’s handling of AI-generated content. California Attorney General Rob Bonta and the UK’s online safety regulator, Ofcom, are independently investigating the platform over the creation and sharing of non-consensual sexually explicit material through Grok. The escalating legal pressure reflects widespread concerns about the potential for AI to facilitate abuse and the challenges of regulating rapidly evolving technologies.
Earlier this month, French prosecutors raided X’s Paris offices as part of a criminal investigation into whether Grok was used to generate child sexual abuse material and Holocaust denial content. According to reports, French authorities have summoned Elon Musk, X CEO Linda Yaccarino, and other X employees for interviews in April.
The DPC’s investigation carries significant weight, as its findings could lead to substantial fines applicable across all 27 EU member states and the three European Economic Area countries (Iceland, Liechtenstein, and Norway). The ICO also possesses the authority to impose fines of up to £17.5 million, or 4% of X’s global annual turnover, for GDPR violations.
Potential Penalties and Regulatory Landscape
The potential financial penalties underscore the increasing regulatory risks facing large technology companies. Violations of the GDPR can result in fines of up to 4% of a company’s total global revenue, as noted in reports from DW.com. The separate EU probe under the Digital Services Act could lead to fines of up to 6% of global revenues.
The investigations come as regulators worldwide grapple with the challenges of balancing innovation with the require to protect individuals from harm. The DSA, in particular, requires online platforms to proactively address illegal and harmful content.
What comes next will likely involve a lengthy and complex legal process as X responds to the various investigations and attempts to demonstrate its compliance with data protection and content moderation regulations. The outcomes of these inquiries could set important precedents for the regulation of AI-generated content and the responsibilities of social media platforms in safeguarding user privacy and safety.
Share your thoughts on this developing story in the comments below.
