Elon Musk’s Grok Faces “Large-Scale” EU Probe Over Deepfake Imagery and Data Rights
Do Son 
Following the precedents set by France and the United Kingdom, the European Union’s primary privacy regulator has formally inaugurated a “large-scale” investigation into Elon Musk’s X and his artificial intelligence venture, xAI.
The Irish Data Protection Commission (DPC), tasked with the enforcement of the EU’s General Data Protection Regulation (GDPR), recently announced the commencement of this extensive inquiry. The crux of the investigation lies in determining whether the AI chatbot, Grok, utilized the personal data of EU citizens illicitly and facilitated the generation of “non-consensual intimate imagery” involving real individuals, including minors. This regulatory offensive was precipitated by a controversy in early January 2026, when a multitude of X users discovered that Grok could be induced via specific prompts to synthesize deepfake pornographic images of authentic female figures. These images proliferated across social networks, inciting a profound backlash from safety experts, policymakers, and the general populace alike.
Graham Doyle, Deputy Commissioner of the DPC, articulated in a statement that the commission has maintained continuous dialogue with X since reports first emerged regarding the tool’s capacity to generate explicit content. The DPC emphasized that this inquiry will scrutinize whether X has upheld its fundamental obligations under the GDPR, specifically regarding “Privacy by Design” during the developmental phase and the establishment of a “lawful basis” for processing EU citizen data for AI purposes. This investigation is part of a broader, global regulatory “encirclement” of the platform:
-
French Judicial Raid: In early February, French and European investigators conducted a search of X’s Paris headquarters, focusing on algorithmic operations and the dissemination of AI-generated sexually abusive content. French prosecutors have subsequently summoned Musk and former CEO Linda Yaccarino for voluntary interviews in April.
-
British Intervention: The UK’s Information Commissioner’s Office (ICO) has launched its own probe, expressing “grave concerns” regarding Grok’s utilization of personal data to synthesize harmful pornography.
-
EU DSA Investigation: Parallel to the GDPR inquiry, the EU had already initiated a formal probe under the Digital Services Act (DSA), mandating that the platform mitigate the risks associated with the propagation of illegal and deleterious content.
In response to this mounting jurisdictional pressure, Elon Musk and X have maintained a characteristically defiant posture. Regarding the French operation, X’s official communications dismissed the allegations as “baseless,” characterizing the search as “law enforcement theater” designed to fulfill illicit political objectives and threaten freedom of expression. Despite this rhetorical belligerence, the specter of astronomical fines and potential bans compelled X to implement “technical measures” last month to restrict Grok from generating specific explicit imagery. However, xAI maintains its commitment to a philosophy of “unfettered expression,” attempting to navigate the precarious boundary between legal mandates and absolute free speech.
The DPC’s intervention signifies a new epoch in the regulation of generative AI: a transition from “content moderation” to a legal struggle over “personal data processing.” While previous discourse on Non-Consensual Intimate Imagery (NCII) focused on ethics and platform accountability, the invocation of the GDPR directly challenges the provenance of the data used to train the models and the right to process such data for image synthesis. This maneuver is particularly devastating, as GDPR violations can incur penalties reaching up to 4% of a firm’s global annual revenue—a staggering figure for the recently merged SpaceX-X entity.
Furthermore, Grok’s unique integration with real-time X data, while a competitive advantage for current events, has rendered it a “ground zero” for deepfake generation. Unlike the stringent guardrails implemented by OpenAI or Google, Musk’s pursuit of an “unrestricted AI” appears to have underestimated the risks of malicious exploitation. As comprehensive AI statutes are enacted globally in 2026, xAI’s “borderline” developmental model will inevitably face incessant litigation. This may necessitate a fundamental reconstruction of its underlying algorithms or the suspension of services within the European theater, presenting a formidable obstacle to Musk’s vision of a “universal application.”
Related Posts:
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
