EU Launches Data Privacy Probe into Elon Musk’s X Over Deepfake Imagery
Ireland’s Data Protection Commission (DPC) has initiated a large-scale inquiry into X, formerly known as Twitter, on behalf of the European Union, focusing on potential breaches of the bloc’s General Data Protection Regulation (GDPR). The investigation centers on the creation and dissemination of sexualized deepfake images generated by X’s AI chatbot, Grok. This move underscores increasing regulatory scrutiny of artificial intelligence and its potential for misuse.
The DPC announced the probe on Tuesday, February 17, 2026, stating it had formally notified X on Monday. The inquiry will examine whether the company complied with its obligations under GDPR regarding the personal data of European Economic Area (EEA) and EU data subjects. According to the DPC, the investigation specifically addresses “the alleged creation and publication on X of potentially harmful, non-consensual intimate or sexualised images involving Europeans, including children,” generated using the Grok tool.
The investigation was prompted by reports in January that Grok was being used to create sexualized images of individuals, including minors, in response to user prompts. Researchers found the AI tool could fulfill requests to undress people with its image generation capabilities, leading to widespread concern. While X has since introduced some restrictions on Grok, European authorities deemed them insufficient.
As X’s European operations are headquartered in Dublin, Ireland’s DPC serves as the lead regulator for the platform within the EU. DPC Deputy Commissioner Graham Doyle stated the authority has “been engaging” with X “since media reports first emerged a number of weeks ago concerning the alleged ability of X users to prompt the Grok account on X to generate sexualised images of real people, including children.”
This investigation is separate from another EU probe, launched in late January, examining X’s compliance with the Digital Services Act (DSA). The DSA aims to regulate online platforms and ensure they proactively address illegal and harmful content. Violations of GDPR can result in fines of up to 4% of a company’s total global revenue, while breaches of the DSA can lead to penalties of up to 6% of global revenues. The Irish regulator opened the EU privacy investigation after the chatbot generated nonconsensual deepfake images.
X has yet to respond to this latest probe, according to reports. Ireland launches data protection probe into Grok’s deepfakes, adding to the growing international backlash against the AI tool. The Irish watchdog opens EU data probe into Grok sexual AI imagery.
