The Data Protection Commission is examining X’s use of generative AI after reports that the Grok account could create non-consensual intimate images of real individuals.
In a press release published today, the Data Protection Commission (DPC) announced it has opened an inquiry into X Internet Unlimited Company (XIUC) under section 110 of the Data Protection Act 2018.
The inquiry concerns the creation and publication of potentially harmful and non-consensual sexualised images involving the personal data of EU subjects, including children, through the Grok large language model.
“The DPC has been engaging with XIUC since media reports first emerged a number of weeks ago concerning the alleged ability of X users to prompt the @Grok account on X to generate sexualised images of real people, including children,” Deputy Commissioner Graham Doyle said.
“As the Lead Supervisory Authority for XIUC across the EU/EEA, the DPC has commenced a large-scale inquiry which will examine XIUC’s compliance with some of their fundamental obligations under the GDPR in relation to the matters at hand.”
The DPC notified the company of the decision to commence the inquiry on Monday February 16th.
The investigation aims to determine if the social media platform complied with several GDPR obligations, including principles of processing, lawfulness of processing, and data protection by design and by default.
It will also examine whether the company fulfilled the requirement to carry out a Data Protection Impact Assessment regarding the personal data processed.
The Grok model is a generative artificial intelligence functionality associated with the @Grok account within the X platform.
The DPC is the national independent authority in Ireland responsible for the data protection of EU citizens.
This move is significant, as under the General Data Protection Regulation (GDPR), the commission acts as the lead supervisory authority for many global technology firms that have their European headquarters located in Ireland, potentially meaning this will have EU-wide implications.
Under GDPR, the DPC has the power to potentially fine X up to 4% of its global annual revenue for the last year.
Beyond the DPC’s scrutiny, X is facing a regulatory pincer movement across Europe. In January 2026, the European Commission initiated a formal probe under the Digital Services Act (DSA) to investigate if X failed to block “systemic threats” – specifically the explosion of AI-generated deepfakes and illegal content.
Simultaneously, British and French authorities have targeted the chatbot’s safety protocols, with French police even conducting raids on X’s Paris offices to investigate the platform’s role in distributing harmful material.
X has been contacted for comment on the latest development.
Notably, X owner Elon Musk has repeatedly affirmed that anyone engaging in illegal activity using the Grok tool will be penalised, and that he will fully facilitate and assist law enforcement in prosecuting such individuals.