Ireland’s DPC opens data privacy probe into X’s Grok

The investigation follows EU Commission concerns that Grok may have generated content that could amount to child sexual abuse material, and comes amid wider international scrutiny.
The European Commission investigates Grok over millions of sexualised images, examining delayed enforcement, geopolitical tensions and the effectiveness of the EU’s strictest digital rules.

Ireland’s Data Protection Commission (DPC) has opened a formal investigation into X, focusing on whether the platform complied with its EU privacy obligations after users reportedly generated and shared sexualised, AI-altered images using Grok, the chatbot integrated into X. The inquiry will examine how the EU users’ personal data was processed in connection with this feature, under Ireland’s Data Protection Act and the GDPR framework.

The controversy centres on prompts that can ‘edit’ real people’s photos, sometimes producing non-consensual sexualised imagery, with allegations that some outputs involve children. The DPC has said it has been engaging with X since the reports first emerged and has now launched what it describes as a large-scale inquiry into the platform’s compliance with core GDPR duties.

Public and political reaction has intensified as examples of users altering images posted by others without consent, including ‘undressing’ edits, circulated. Child-safety concerns have widened the issue beyond platform moderation into questions of legality, safeguards, and accountability for generative tools embedded in mass-use social networks.

X has said it has introduced restrictions and safety measures around Grok’s image features, but regulators appear unconvinced that guardrails are sufficient when tools can be repurposed for non-consensual sexual content at scale. The DPC’s inquiry will test, in practical terms, whether a platform can roll out powerful image-generation/editing functions while still meeting the EU privacy requirements for lawful processing, risk management, and protection of individuals.

Why does it matter?

The DPC (Data Protection Commission) is Ireland’s national data protection authority, an Irish public regulator, but at the same time, it operates within the EU’s GDPR system as part of the network of EU/EEA regulators (the ‘supervisory authorities’). The DPC’s probe lands on top of a separate European Commission investigation launched in January under the EU’s Digital Services Act, after concerns that Grok-fuelled deepfakes on X included manipulated sexually explicit images that ‘may amount to child sexual abuse material,’ and questions about whether X properly assessed and mitigated those risks before deployment. Together, the two tracks show how the EU is using both privacy law (GDPR) and platform safety rules (DSA) to pressure large platforms to prove that ‘generative’ features are not being shipped faster than the safeguards needed to prevent serious harm, especially when women and children are the most likely targets.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot