Irish DPC launches probe into X over Grok’s AI-generated images

Ireland’s Data Protection Commission (DPC) has opened an investigation into social media platform X following reports that the built-in chatbot Grok is generating intimate and sexualized images featuring real people, including content possibly involving minors. The regulator is working with the platform operator to determine whether these activities comply with the EU’s General Data Protection Regulation (GDPR).

What the data protection commission is examining

According to the DPC, the investigation centers on the alleged creation and distribution of potentially harmful intimate and/or sexualized images linked to the processing of personal data of individuals from the EU/EEA on the X platform. The probe covers both the content generation process by the Grok model and the platform’s moderation and removal practices related to such material.

The investigation concerns the alleged creation and publication on the X platform of potentially harmful intimate and/or sexualized images containing or otherwise linked to the processing of personal data of data subjects from the EU/EEA, including children, generated using generative AI features based on the large language model Grok on the X platform.

Irish Data Protection Commission (DPC)

DPC Deputy Commissioner Graham Doyle stated that the office is already exchanging information with X and is focusing on potential risks to children and other vulnerable groups. The primary goal is to assess whether the processing of personal data was lawful, justified, and accompanied by the safeguards mandated under GDPR.

Where Grok is already blocked

• Malaysia and Indonesia have already blocked Grok’s operations within their jurisdictions.
• UK Prime Minister Keir Starmer has ordered all options to be considered, including a potential ban on platform X; discussions on this have taken place with Canada and Australia.

These moves indicate that authorities’ responses go beyond isolated complaints: national regulators and governments are prepared to apply extraterritorial measures against services they believe fail to protect citizens. For X, this raises rapidly escalating operational and political risks in key markets.

Implications for X and its users

If the DPC identifies GDPR violations, X may be required to adjust its system, conduct a Data Protection Impact Assessment (DPIA), or remove the disputed content. Under GDPR, possible penalties include fines up to €20 million or 4% of annual global turnover, whichever is higher, along with mandatory changes to moderation and data handling procedures.

For users, this could mean tighter restrictions on generative features, more stringent review of uploads and prompts, and for developers, the need to rethink model architectures to prevent “sticky” reproduction of personal data. For X, reputational damage and potential bans in certain countries pose a direct threat to user growth and monetization efforts.

The DPC’s investigation is more than a legal footnote-it’s another attempt by regulators to force platforms to embed data protection rules directly into the architecture of generative AI. Whether this results in fines, formal mandates, or local blocks will become clearer as the DPC and X exchange documentation. What’s certain is that new technical and legal requirements are looming over how large AI models handle images of real people.