Ireland's Data Protection Commission (DPC) has launched a comprehensive investigation into Elon Musk's platform X, focusing on AI-generated sexualized images of real people created through Grok, the chatbot integrated into X.
The inquiry puts the platform's AI image risks under a data protection lens. According to the source, the DPC is examining whether X met core duties under the EU's General Data Protection Regulation (GDPR), including lawful data processing, data protection by design, and the requirement to carry out a data protection impact assessment before launching risky features.
What the DPC is examining
The investigation is centered on how X handled AI-generated deepfakes made with Grok. The source says the images included sexualized depictions of real people, including children.
That focus matters because the DPC is not only looking at the existence of harmful images. It is also reviewing whether the platform's design, launch process, and data handling around Grok complied with GDPR obligations.
The source identifies three areas under review:
- Lawful data processing, meaning whether X had a lawful basis for the relevant processing under GDPR.
- Data protection by design, meaning whether privacy and protection duties were built into the feature rather than treated as an afterthought.
- A data protection impact assessment, which the source says is required before launching risky features.
Deputy Commissioner Graham Doyle said the authority has been in contact with X since the first media reports surfaced several weeks ago.
Why Grok is central to the probe
Grok is central because the chatbot is integrated into X and was used to generate the images at issue. The source says users created thousands of sexualized deepfakes using Grok in early January.
The images triggered sharp criticism from users, security experts, and politicians. The source also says the incident led to multiple regulatory investigations.
For X, the question is therefore broader than whether individual users misused a tool. The DPC is examining whether the platform itself handled the risks of an AI feature in line with GDPR duties before and during its deployment.
The GDPR questions raised by risky AI features
The investigation highlights a core tension for platforms adding generative AI to products used by large audiences. When an AI tool can produce harmful depictions of real people, regulators may look closely at how the feature was assessed, limited, and designed before release.
The source specifically frames the inquiry around GDPR obligations. That means the DPC is looking at privacy and data protection duties rather than only the social or reputational harm caused by deepfakes.
In practical terms, the stated areas of review suggest several plain-language questions:
- Did X process personal data lawfully in connection with the images and the feature?
- Did the design of Grok on X account for data protection risks from the start?
- Did X complete the required assessment before launching a risky feature?
The source does not state an outcome of the investigation. It only says the DPC has launched the probe and has been in contact with X since the first media reports appeared several weeks ago.
What this signals for AI platforms
The DPC's action shows how AI-generated deepfakes can become a regulatory issue when they involve real people and are produced through platform-integrated tools. The case also shows that regulators may evaluate not just the output of an AI system, but the process used to launch it.
For platforms, the source points to a clear set of pressure points: lawful data processing, privacy-minded design, and impact assessments for risky features. These are not abstract compliance labels in this context; they are the specific GDPR obligations now being examined in relation to Grok and X.
The investigation follows a wave of criticism after users created thousands of sexualized deepfakes in early January. With the DPC now involved, the issue has moved from public backlash into formal data protection scrutiny.