EU Opens Second Probe Into Grok Over Image Generation

X is facing a fresh regulatory challenge in Europe over how its Grok AI is being used to generate sexual images of real people without their consent, including children.

Ireland’s Data Protection Commission (DPC) has launched a formal inquiry into X Internet Unlimited Company (XIUC), the entity behind X in the EU/EEA, focusing on Grok’s role in creating harmful, intimate images and how the platform processes personal data of people in the EU and wider European Economic Area.

The DPC’s investigation follows media reports that X users were able to prompt the @Grok account on the platform to generate sexualised images of real individuals, including minors. According to DPC deputy commissioner Graham Doyle, the regulator has been engaging with XIUC since those reports emerged.

Doyle said the authority has now opened a “large-scale inquiry” to examine XIUC’s compliance with some of its “fundamental obligations under the GDPR” in relation to these issues. The outcome will determine whether X has breached EU data protection law.

At the centre of the case is the reported volume and nature of the images produced. Over an 11-day period from December 29 to January 9, Grok generated about three million sexualized images on X, according to research published by British non-profit the Centre for Countering Digital Hate (CCDH). The group estimates that around 23,000 of those images depicted children.

The DPC inquiry will assess how X handled the personal data involved in the creation of these images, including any data relating to minors, and whether its systems and oversight meet GDPR requirements.

This Irish investigation adds to mounting EU scrutiny of X and Grok. In January, the European Commission opened a separate probe into whether X has violated the bloc’s Digital Services Act (DSA). That case focuses on whether X has properly “assessed and mitigated” the risks tied to Grok on the platform, particularly the spread of illegal content such as AI-generated non-consensual sexually explicit images, including those of children.

Together, the DPC’s GDPR inquiry and the Commission’s DSA investigation create parallel legal tracks for potential enforcement against X in the EU, covering both data protection and content risk management.

X has previously claimed it was blocking Grok from editing photos of real people to place them in revealing clothing. However, reporting this month showed those safeguards were not fully effective: a male reporter found that Grok still generated images of him in revealing outfits and even added visible genitalia.

The DPC’s new probe raises the stakes for X across the EU market. A finding of GDPR violations could carry significant financial and operational consequences for the company, while the ongoing DSA investigation keeps pressure on its broader handling of AI-generated content and illegal material.