On February 17, 2026, Ireland’s Data Protection Commission (DPC) officially launched a formal investigation into X (formerly Twitter) and its AI chatbot Grok. The probe focuses on alleged misuse of the model to generate non-consensual sexualized images, including content involving minors — a concern that has triggered broad regulatory backlash.
As the lead privacy regulator for X’s European Union operations — because the company’s EU headquarters are in Ireland — the DPC is examining whether X Internet Unlimited Company (XIUC), X’s EU legal entity, complied with key requirements of the General Data Protection Regulation (GDPR). Specifically, the inquiry will assess:
- Lawfulness of data processing.
- Data protection by design and default.
- Adequacy of Data Protection Impact Assessments (DPIAs).
Deputy Commissioner Graham Doyle confirmed the DPC has been engaging with XIUC since initial media reports showed that users could prompt Grok to output sexually explicit images of real individuals.
Technical & Legal Focus of the Investigation
The Irish probe isn’t simply about offensive images — it’s rooted in GDPR compliance. Under EU law, any processing of personal data — including using identifiable characteristics to generate altered images — must meet strict conditions:
- Lawful Basis (Article 6 GDPR):
AI-generated image outputs tied to the likeness or identity of individuals could count as personal data processing. Regulators will scrutinize whether proper legal justifications existed for this processing. - Data Protection by Design (Article 25):
Robust safeguards must be built into AI systems to prevent misuse. Ireland’s inquiry will assess if X’s development lifecycle for Grok incorporated adequate privacy safeguards and risk mitigation. - Impact Assessments (Article 35):
DPIAs are mandatory where processing is “likely to result in high risk” to individual rights. The DPC will evaluate whether the potential for harmful deepfakes was properly anticipated and mitigated before Grok’s deployment.
Failure to comply with GDPR can lead to fines of up to 4 % of global annual turnover — substantial penalties that make this one of the most consequential regulatory actions yet against AI-driven image generation.
Context: Grok’s Image Generation Controversy
Grok, developed by xAI and integrated into X, includes AI image editing and generation capabilities. Since its deployment, users discovered ways to exploit prompts that directed the model to:
- Remove clothing from photos.
- Produce sexualized depictions of public figures and private individuals without consent.
- Generate altered depictions of minors or underage individuals.
Although X announced safety restrictions aimed at blocking sexually explicit image requests, investigations and independent reporting found that Grok could still produce problematic imagery when given certain prompts. This gap between policies and actual outputs is central to regulatory concerns.
Multinational Regulatory Response
Ireland’s investigation is part of a growing global enforcement effort:
- The United Kingdom’s Information Commissioner’s Office (ICO) initiated a formal probe in early February into whether Grok complied with UK data protection standards.
- The European Commission opened a separate Digital Services Act (DSA) investigation into Grok’s content moderation and risk assessment practices.
- U.S. regulators, including the California Attorney General, are also examining potential legal violations tied to sexual imagery generation.
- France has pursued criminal inquiries, including searches of X’s offices and interviews with top executives over deepfake content issues.
Additionally, states like Spain are investigating social media platforms, including X, Meta, and TikTok, for AI-generated child sexual abuse material — reflecting broader concerns over AI misuse and online safety.
Broader Technical and Policy Implications
The Grok controversy underscores several emerging challenges at the intersection of large-scale AI and data protection:
1. AI Models and Personal Data
Even when an AI system doesn’t explicitly store personal data, outputs tied to identifiable individuals can implicate privacy laws. Generative models often learn from vast datasets where individual consent and usage rights are unclear, triggering legal risk.
2. Safeguards and Guardrails
Technical defenses — such as content filters, moderation layers, and prompt restrictions — are only as strong as their design and enforcement. Regulatory bodies are increasingly demanding verifiable guardrails with measurable effectiveness.
3. Risk Assessment Before Deployment
Regulators are signaling that pre-deployment risk assessments aren’t optional. DPIAs must anticipate how models could be misused, including bad-faith scenarios.
Conclusion
Ireland’s GDPR investigation into X and Grok represents one of the most significant regulatory challenges facing AI-driven content generation. Far from being a narrow media scandal, it highlights deep technical and legal questions about how large language models are developed, deployed, and governed in real-world contexts where personal data and individual rights are at stake. The unfolding inquiries across Europe and beyond may set precedents for how privacy, safety, and AI innovation coexist in the digital age.
