Ireland’s Data Protection Commission has launched a formal investigation into Grok, the artificial intelligence chatbot developed by Elon Musk’s company X, over concerns about how it processes personal data and its potential to generate harmful sexualised images, including of minors.
The regulator said it is examining whether X Internet Unlimited Company (XIUC), which manages X’s European Union operations from Ireland, is complying with its obligations under the EU’s General Data Protection Regulation. Under GDPR rules, Ireland can impose fines of up to 4 per cent of a company’s global annual revenue for serious breaches.
The probe follows media reports alleging that Grok could be prompted to create sexualised images of real individuals, including children. Last year, the chatbot faced criticism after introducing a feature known as “Spicy Mode,” which allowed users to request altered images of women, including simulated depictions of them undressed or posed in swimwear. Critics said the tool enabled the creation of deepfake content without consent or sufficient safeguards.
Further analysis by media outlets suggested that Grok sometimes complied with prompts to generate sexually suggestive images of minors, including references to a 14-year-old actress. The reports drew attention from regulators across Europe and beyond.
In January, the European Commission opened formal investigations into Grok’s operations. Authorities in the United Kingdom and France have also threatened legal action or initiated inquiries related to the chatbot’s image-generation capabilities.
X has since announced restrictions aimed at preventing Grok from producing sexualised content. However, reports indicate that some problematic images may still be generated despite those curbs.
Deputy Commissioner Graham Doyle said the Data Protection Commission had been engaging with XIUC since the initial reports emerged. “As the Lead Supervisory Authority for XIUC across the EU and EEA, the DPC has commenced a large-scale inquiry,” Doyle said. He added that the investigation will assess the company’s compliance with fundamental GDPR requirements in relation to the issues raised.
The inquiry will focus on how personal data may have been processed to train or operate the chatbot and whether adequate safeguards were in place to prevent misuse. Regulators are increasingly scrutinising AI systems capable of generating realistic images and video, particularly where they involve identifiable individuals.
The outcome of the Irish investigation could have significant implications for X’s operations across the European Union, given Ireland’s central role in enforcing data protection rules for many major technology companies operating within the bloc.
