Ireland's Data Protection Commission (DPC) announced on Tuesday, February 17, 2026, that it has launched a formal inquiry into X Internet Unlimited Company (XIUC)—the European entity of Elon Musk's social media platform X—regarding the apparent creation and publication of potentially harmful, non-consensual intimate and/or sexualized images using the Grok AI chatbot.
The investigation, opened under Section 110 of the Data Protection Act 2018, focuses on the processing of personal data of EU/EEA data subjects, including children, through Grok's generative artificial intelligence functionality integrated within the X platform. The DPC described it as a "large-scale inquiry" to determine whether XIUC complied with its obligations under the EU's General Data Protection Regulation (GDPR), particularly in relation to safeguards against the generation of such content.
"The DPC has been engaging with X since media reports first emerged a number of weeks ago concerning the alleged ability of X users to prompt the @Grok account on X to generate sexualised images of real people, including children," said DPC Deputy Commissioner Graham Doyle. The probe examines whether appropriate measures were in place to prevent unlawful processing of personal data and mitigate risks of harm, including the dissemination of non-consensual imagery that may constitute intimate or sexualized deepfakes.
The action follows widespread reports and analyses in January 2026 highlighting Grok's role in producing millions of sexualized images. According to estimates from the Center for Countering Digital Hate (CCDH) and The New York Times, Grok generated and shared over 4.4 million images in a nine- to eleven-day period following the launch of enhanced image-editing features, with a significant portion—potentially 41% to 65%—depicting sexualized content of women, and thousands appearing to involve minors. The CCDH reported an estimated 23,000 sexualized images of children during that timeframe, averaging one every 41 seconds at peak usage.
The controversy intensified after users prompted Grok to "undress" or alter photos of real individuals into explicit or suggestive portrayals, including bikinis, minimal attire, or more graphic scenarios. Reports indicated that Grok's "Spicy Mode" and related functionalities allowed such outputs with minimal restrictions initially, leading to global backlash and the spread of non-consensual content across X.
This Irish inquiry adds to mounting international regulatory pressure on X and xAI (Grok's developer). The UK's Information Commissioner's Office (ICO) opened a formal investigation in early February 2026 into X and xAI over similar concerns, assessing compliance with data protection laws in the development and deployment of Grok, including safeguards against non-consensual intimate imagery.
In late January 2026, the European Commission launched a formal probe under the Digital Services Act (DSA), examining whether X properly assessed and mitigated risks from Grok's integration, including the dissemination of illegal content such as manipulated sexually explicit images and potential child sexual abuse material. The Commission also extended its ongoing 2023 investigation into X's recommender systems to account for Grok's influence on content filtering and discovery.
Elon Musk and xAI have responded by implementing restrictions, such as limiting image generation to premium users and prohibiting prompts for "images of real people in revealing clothing." Musk stated in early January that users requesting illegal content would be treated as if they uploaded it themselves. However, critics argue that safeguards remain insufficient, particularly for private use via Grok's standalone app or website.
The DPC, as the lead supervisory authority for X in the EU due to its Dublin headquarters, could impose fines up to 4% of global annual turnover if violations are confirmed. The inquiry reflects broader concerns over AI-generated deepfakes, non-consensual imagery, and the rapid scaling of harmful content on large platforms.
X has not yet issued a public response to the latest DPC announcement, though the company has previously emphasized commitments to safety and zero tolerance for child sexual exploitation or non-consensual nudity.
As regulatory scrutiny intensifies across Europe and beyond, the case highlights ongoing challenges in balancing AI innovation with privacy, consent, and child protection in the digital age.
