The Data Protection Commission, Ireland’s lead data privacy regulator for many large tech firms operating in Europe, has escalated its engagement with X into a formal inquiry. According to reports, the probe will investigate the platform’s compliance with core duties under the General Data Protection Regulation (GDPR). The DPC stated it had been engaging with the company since reports of the AI’s potential for misuse first surfaced before launching the official investigation.
The controversy stems from Grok’s image manipulation capabilities. Users have reported the ability to use prompts to “edit” or digitally “undress” individuals in photographs, leading to the creation and circulation of non-consensual sexualized deepfakes. The concerns intensified significantly with allegations that some of this manipulated content involved images of children.
This DPC probe follows related concerns raised by the European Commission in . The Commission questioned whether X had properly assessed and mitigated the risks of Grok-fueled deepfakes before deployment, particularly in relation to sexually explicit images that could be classified as child sexual abuse material under the EU’s Digital Services Act (DSA).
The investigation was prompted by a growing public and political reaction as examples of the manipulated images circulated widely online. The core of the regulatory inquiry is to determine if X failed in its legal obligations. Under EU law, platforms are expected to conduct thorough risk assessments for new features, especially generative AI, to prevent serious harms. The dual-track pressure from both the DPC under GDPR and the European Commission under the DSA highlights a broader regulatory effort to ensure safeguards are not outpaced by the rapid deployment of powerful AI tools.
The exact date the DPC officially launched its large-scale inquiry has not been publicly specified. The potential financial penalties X could face if found in breach of GDPR are not yet known. Furthermore, there is no public timeline for the conclusion of the investigation or for any subsequent regulatory actions that may be taken.
X will be required to cooperate with the DPC’s inquiry and provide information on its data processing activities and risk mitigation strategies related to Grok. Depending on the findings, the DPC has the authority to issue corrective orders, such as mandating changes to the AI’s functionality, or impose significant fines. The outcome will likely set a precedent for how generative AI features on major social media platforms are regulated across the European Union.
Follow us on Bluesky , LinkedIn , and X to Get Instant Updates
