Grok Faces EU-Wide Fallout After Ireland Opens Formal Inquiry into Generated Sexual Images

Ireland has officially opened a data protection investigation into X after Grok was accused of generating non-consensual sexual images of real people, including minors.

The investigation, spearheaded by the Data Protection Commission (DPC), places X under regulatory scrutiny. If the social media platform is found guilty, it could trigger massive fines across the EU.

What triggered Ireland’s investigation?

DPC confirmed on February 17 that it has initiated a statutory inquiry into X Internet Unlimited Company (XIUC), the company’s EU-based entity. This investigation marks one of the biggest regulatory actions ever to arise out of Grok’s image-generation scandal.

The DPC launched the inquiry after multiple media reports revealed that users could prompt Grok to generate sexualized images.

“The DPC has been engaging with XIUC since media reports first emerged a number of weeks ago concerning the alleged ability of X users to prompt the @Grok account on X to generate sexualized images of real people, including children,” said Deputy Commissioner Graham Doyle.

The regulator is trying to determine whether X violated core provisions of the General Data Protection Regulation (GDPR).

Because Ireland acts as X’s Lead Supervisory Authority in the EU, the DPC’s findings could lead to enforcement actions that apply across the entire EU.

Technically, under GDPR, authorities can impose fines of up to 4% of global annual revenue.

While the case has the potential harmful content at its core, it’s also about personal data processing.

If Grok generated sexualized images depicting real people without their consent, authorities could say that it’s actually unlawful data processing under Article 6 of the GDPR.

A growing list of investigations

Ireland’s investigation is not the only one. In fact, multiple investigations are targeting X and implicitly Grok.

• The UK Information Commissioner’s Office opened a formal probe in early February.
• The European Commission launched proceedings under the Digital Services Act in January.
• California’s Attorney General began examining Grok’s role in generating sexually explicit AI content.
• Ofcom initiated an online safety investigation in the UK.
• French prosecutors raided X’s Paris offices as part of a criminal investigation into alleged deepfake and child sexual abuse material concerns.

Because X’s European headquarters is in Dublin, the Irish DPC often acts as the primary GDPR enforcer.

How users protect themselves from AI image abuse

While regulators investigate platforms, people must deal right now with the risks generated by AI-powered tools already deployed into the wild.

Users should:

• Limit publicly available personal photos
• Enable strong privacy controls on social platforms
• Monitor for impersonation or deepfake content
• Report non-consensual imagery immediately

How Bitdefender helps protect against AI-driven abuse

Deepfakes represent just one facet of AI abuse. Attackers are beginning to combine generative AI with phishing, impersonation scams and social engineering.

Bitdefender security solutions help users and organizations:

• Detect AI-assisted phishing attempts
• Block malicious links and impersonation campaigns
• Protect personal data from exposure
• Monitor digital footprints for abuse

FAQ

Why did Ireland open an investigation into Grok?

DPC launched the inquiry after reports claimed that users could prompt Grok to generate sexualized images of adults and minors.

What laws does the investigation involve?

The inquiry focuses on GDPR compliance and including lawful processing, among others

Could X face fines?

Yes. GDPR allows fines of up to 4% of global annual revenue if regulators find serious violations.

Are other countries investigating Grok?

Yes. Regulators in the UK, EU, US, and France have launched related investigations

Has Ireland found X guilty?

No. The investigation remains ongoing.