Ireland's Data Protection Commission (DPC), the country's data protection authority, has opened a formal investigation into X over the use of the platform's Grok artificial intelligence tool to generate non-consensual sexual images of real people, including children.
The DPC, which also serves as the lead European Union privacy regulator for X due to the company's Irish headquarters, said the inquiry will examine whether X Internet Unlimited Company (X's EU subsidiary) complied with core GDPR obligations, including the principles of lawful processing, data protection by design, and the requirement to conduct data protection impact assessments.
"The DPC has been engaging with XIUC since media reports first emerged a number of weeks ago concerning the alleged ability of X users to prompt the @Grok account on X to generate sexualised images of real people, including children," said Deputy Commissioner Graham Doyle on Tuesday.
"As the Lead Supervisory Authority for XIUC across the EU/EEA, the DPC has commenced a large-scale inquiry which will examine XIUC's compliance with some of their fundamental obligations under the GDPR in relation to the matters at hand."
The Irish investigation joins a growing multinational enforcement effort currently targeting X's Grok AI operations. The UK Information Commissioner's Office (ICO) launched its own formal investigation on February 3, while the European Commission opened proceedings in January to examine whether X properly assessed risks under the Digital Services Act before deploying Grok.
California Attorney General Rob Bonta and UK online safety regulator Ofcom are also investigating X over non-consensual sexually explicit content generated through Grok.
French prosecutors raided X's Paris offices two weeks ago as part of a separate criminal probe into whether Grok generated child sexual abuse material and Holocaust denial content. The French authorities have also summoned Elon Musk, CEO Linda Yaccarino, and some X employees for interviews in April.
As the lead EU supervisory authority, the DPC's investigation carries particular weight, as its findings could result in substantial fines enforceable across all 27 EU member states and the three European Economic Area countries (Iceland, Liechtenstein, and Norway). The ICO, as the UK's independent data protection regulator, can also impose fines of up to £17.5 million or 4% of a company's worldwide annual turnover.
Automated Pentesting Covers Only 1 of 6 Surfaces.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
Comments
Dantevortex - 1 month ago
"the alleged ability of"
It's impossible to upload images and use the "s***y mode" on them.
The whole "bikini" thing has long been patched. You cannot put bikini's on uploaded photos anymore.
And AI generated images do have some form of nudity, but you cannot generate children with nudity.
So not sure where this "alleged" proof is that you can, but you really cannot create it. It's impossible.
Nyle - 1 month ago
Will these countries be suing Adobe next for creating photosshop or the creators of GIMP? How is this tool different, because it's automated? Seriously, X mitigated the anonymous issue so that the person creating the content can be determined. There wouldn't be political motivations to this all, would there??
Drags - 1 month ago
"Will these countries be suing Adobe next for creating photosshop or the creators of GIMP? How is this tool different, because it's automated? Seriously, X mitigated the anonymous issue so that the person creating the content can be determined. There wouldn't be political motivations to this all, would there??"
There is such a thing called "laws" - they do prohibit the creation / publication / duplication of CSM, as well as the creation / publication / duplication of adult sexual content without explicit permission of person in picture. As such GROK is, rightfully so, being investigated. Also, a paywall is no mitigation.
Dantevortex - 1 month ago
You could literally upload images to Gemini, chatGPT and make the person wear bikini's as well.
Not sure if that has been patched, but I tested it when Grok was first attacked over it, and they happily undressed everyone, no questions asked.
Grok on the other hand has indeed made it impossible now to undress people. Also behind the paywall will it not allow you to do this.
So, yeah go investigate, good job. Maybe go investigate the other AI's as well.
Attacking just Grok over it seems to be specific choice, and it's not because they remotely care about the so called "laws".
Laws against deepfakes already exist, and will be expanded soon as well.
Drags - 1 month ago
"Grok on the other hand has indeed made it impossible now to undress people."
Means they've broken the law. They created and publicated, as they've made the pictures available to 3rd parties - thus the investigation, same as the others, are warranted. As far as I am aware bikini is not counted as sexual content like nude pictures, etc.
There is no differentiator of LLMs or their providers. Nude / sexual content will get the same treatment.
Nyle - 1 month ago
Nothing you said excludes other tools from the same supposed requirements. Going after the tool as opposed to the tool user, is the typical illiberal arguments made to shift culpability of action to another entity. In this case, it's blatantly obvious that X is being politically targeted because it won't censor when Nations demand it do so. Otherwise, we'd see equal litigation of all cloud based services when users break "laws" with them. The headlines are blatantly one sided,. There can be no justice with unequal application of the law.
Drags - 1 month ago
"Nothing you said excludes other tools from the same supposed requirements."
Then you did not understand what I was writing.
"Going after the tool as opposed to the tool user, is the typical illiberal arguments"
I am not US American, I don't think in only two parties; both sides have responsibilities.
"X is being politically targeted because it won't censor when Nations demand it do so."
It't been proven plenty of times that Musks' company is censoring the way it likes
"The headlines are blatantly one sided,"
Only if you want to read everything that way - if you look at the big picture including OpenAI and other LLM companies, they have plenty of other limits in place or are overall not even creating pictures to not have to deal with this.
What Rex wrote is fully on point. There is no "only one side needs to do .." talks here, both are responsible. If either is blatantly ignoring laws then yes, charges will need to be done. It's not like EU countries are the only investigating parties. It will cost Grok billions in fines and rightly so. Musk will also have a problem of being held accountable for this.
RexvimilZuzakzmo - 1 month ago
Its funny, how it is only tool the moment it is convenient...
Anyway, regarding this ridiculous "arguments". Grenade or Flamethrower are tools, Fentanyl as well, and so is ZyklonB - just because device/mechanism/modifier/item has no agency doesn't mean you can give it away like candy or sell, blaming any potential abuse on the users.
Then there is an issue of AI not being just "any tool" clearly - DOESN'T IT LEARN?!? What sort of "tool" educate themselves?
Finally, everyone remember how AI learned to forge Miyazaki style by gorging on his works. My question is, where did it learned how to do "kid stuff" and can someone explain to me how exactly was it legal? Considering even innocent depictions of children are protected by one way or another (age, licensing, regulations, etc.)
It is disgusting how some - and I'm really straining here to use the word: people, defend rich and powerful over matters like this one... Responsibility is obviously shared, with one side contributing significantly more than the other.