What specific violations of the GDPR is the EU investigating regarding X and Grok's deepfake generation?

Ireland's Data Protection Commission is examining whether X Internet Unlimited Company complied with GDPR requirements including lawful handling of data, data protection by design, and conducting proper data protection impact assessments. The investigation focuses on the creation and publication of non-consensual sexualized images using EU user data, which violates fundamental GDPR principles around data processing and user consent.[1]

What are the potential financial penalties X could face from this investigation?

Under GDPR enforcement, X could face fines of up to 4% of its global revenue for violations found during the inquiry. This represents the maximum penalty available under EU data protection law for serious breaches of the regulation.[1]

What regulatory actions have other countries and organizations taken regarding X's deepfake issue?

Multiple jurisdictions have launched investigations: Spain ordered prosecutors to investigate X along with Meta and TikTok, French prosecutors raided X's Paris offices and summoned Elon Musk for questioning, the U.K. Information Commissioner's Office opened an inquiry, and the European Commission launched a separate probe under the Digital Services Act.[1]

How many deepfake images were created and did they actually involve minors?

Thousands of sexualized deepfakes of women were generated using Grok in early January 2026, with researchers reporting that some images appeared to include children, though the exact number involving minors and verification of whether actual children were depicted requires further investigation by authorities.[1]

3 sources

•

6d ago

EU Probe Targets X's Grok Over Deepfake Sexualized Images

Ireland's data watchdog opened a large-scale GDPR inquiry after Grok generated thousands of sexualized deepfakes, some appearing to involve children.

Overview

A summary of the key points of this story verified across multiple sources.

Ireland's Data Protection Commission opened a large-scale inquiry into X and its Grok chatbot over the creation and publication of potentially harmful non-consensual sexualized images involving EU user data, the commission said.

Thousands of sexualized deepfakes of women were generated using Grok in early January, and researchers said some images appeared to include children.

Spain ordered prosecutors to investigate X, Meta and TikTok, French prosecutors raided X's Paris offices and summoned Musk for questioning, the U.K. Information Commissioner's Office opened an inquiry, and the European Commission launched a probe under the Digital Services Act.

The inquiry targets X Internet Unlimited Company in Dublin and will examine compliance with the EU's General Data Protection Regulation, which allows fines up to 4% of global revenue for violations.

The DPC said it will assess whether processing met legal requirements such as lawful handling, data protection by design, and data protection impact assessments as the inquiry proceeds.

Written using shared reports from

3 sources

Report issue

Analysis

Compare how each side frames the story — including which facts they emphasize or leave out.

Center-leaning sources frame the story as regulatory scrutiny of corporate recklessness by emphasizing harm and oversight, using evaluative terms (e.g. 'behemoth', 'hands-off'), privileging regulator and safety-expert voices while noting X's non-response, and organizing details (GDPR probe, merger valuation, prior controversies) to suggest systemic risk and managerial neglect.

How we categorize media bias

Sources (3)

Compare how different news outlets are covering this story.

Sort By

FAQ

Dig deeper on this story with frequently asked questions.

: Ireland's Data Protection Commission is examining whether X Internet Unlimited Company complied with GDPR requirements including lawful handling of data, data protection by design, and conducting proper data protection impact assessments. The investigation focuses on the creation and publication of non-consensual sexualized images using EU user data, which violates fundamental GDPR principles around data processing and user consent.[1]
Sources:
European Commission Press Corner
: Under GDPR enforcement, X could face fines of up to 4% of its global revenue for violations found during the inquiry. This represents the maximum penalty available under EU data protection law for serious breaches of the regulation.[1]
Sources:
European Commission Press Corner
: Multiple jurisdictions have launched investigations: Spain ordered prosecutors to investigate X along with Meta and TikTok, French prosecutors raided X's Paris offices and summoned Elon Musk for questioning, the U.K. Information Commissioner's Office opened an inquiry, and the European Commission launched a separate probe under the Digital Services Act.[1]
Sources:
European Commission Press Corner
: Thousands of sexualized deepfakes of women were generated using Grok in early January 2026, with researchers reporting that some images appeared to include children, though the exact number involving minors and verification of whether actual children were depicted requires further investigation by authorities.[1]
Sources:
European Commission Press Corner

History

See how this story has evolved over time.

This story does not have any previous versions.