Ireland’s Data Protection Commission (DPC), the country’s data protection authority, has opened a formal investigation into X over the use of the platform’s Grok artificial intelligence tool to generate non-consensual sexual images of real people, including children.
The DPC, which also serves as the lead European Union privacy regulator for X due to the company’s Irish headquarters, said the inquiry will examine whether X Internet Unlimited Company (X’s EU subsidiary) complied with core GDPR obligations, including the principles of lawful processing, data protection by design, and the requirement to conduct data protection impact assessments.
“The DPC has been engaging with XIUC since media reports first emerged a number of weeks ago concerning the alleged ability of X users to prompt the @Grok account on X to generate sexualised images of real people, including children,” said Deputy Commissioner Graham Doyle on Tuesday.
“As the Lead Supervisory Authority for XIUC across the EU/EEA, the DPC has commenced a large-scale inquiry which will examine XIUC’s compliance with some of their fundamental obligations under the GDPR in relation to the matters at hand.”
The Irish investigation joins a growing multinational enforcement effort currently targeting X’s Grok AI operations. The UK Information Commissioner’s Office (ICO) launched its own formal investigation on February 3, while the European Commission opened proceedings in January to examine whether X properly assessed risks under the Digital Services Act before deploying Grok.
California Attorney General Rob Bonta and UK online safety regulator Ofcom are also investigating X over non-consensual sexually explicit content generated through Grok.
French prosecutors raided X’s Paris offices two weeks ago as part of a separate criminal probe into whether Grok generated child sexual abuse material and Holocaust denial content. The French authorities have also summoned Elon Musk, CEO Linda Yaccarino, and some X employees for interviews in April.
As the lead EU supervisory authority, the DPC’s investigation carries particular weight, as its findings could result in substantial fines enforceable across all 27 EU member states and the three European Economic Area countries (Iceland, Liechtenstein, and Norway). The ICO, as the UK’s independent data protection regulator, can also impose fines of up to £17.5 million or 4% of a company’s worldwide annual turnover.
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.
