Ireland’s Data Protection Commission (DPC) opened a formal GDPR investigation into X’s use of the Grok AI tool after reports that users could prompt @Grok to generate non-consensual sexualized images of real people, including children. The DPC said it will examine whether X’s EU subsidiary (X Internet Unlimited Company) met core GDPR obligations, including lawful processing, data protection by design, and whether appropriate data protection impact assessments were conducted.
The Irish inquiry adds to a widening set of actions focused on Grok-related harms and platform safety governance. UK authorities have also moved to tighten expectations for AI chatbot providers following Grok-linked sharing of non-consensual intimate images, with the UK government signaling faster rule updates and enforcement for child-safety duties; separately, the UK ICO has opened its own investigation, and the European Commission has initiated proceedings under the Digital Services Act to assess whether X adequately evaluated risks before deploying Grok. Additional reported scrutiny includes investigations by California’s Attorney General and UK regulator Ofcom, and a separate criminal probe in France involving a raid of X’s Paris offices.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
7 events from the most recent confirmed update back to the earliest known activity.
French prosecutors said Elon Musk did not appear for voluntary police questioning in Paris as part of the criminal investigation into X over alleged illegal sexualized AI-generated images. Authorities said his absence would not halt the case and that invitations had also been extended to CEO Linda Yaccarino and other employees to explain compliance measures.
The European Commission separately began examining whether X violated the EU Digital Services Act by failing to assess and mitigate risks tied to deploying Grok in the EU. This added DSA scrutiny to the GDPR-focused Irish investigation.
Ireland's Data Protection Commission opened a formal investigation into X over allegations that Grok could generate and publish non-consensual sexualized images of real people, including children. The probe will examine lawful processing, privacy by design, and whether X carried out an adequate data protection impact assessment.
Following a recent intervention over non-consensual intimate images shared via Grok, a related function was removed from the service. The action was cited by the UK government as part of its push for stricter AI chatbot safety enforcement.
The UK government announced immediate action to force AI chatbot providers to comply with existing online child-safety duties, warning of legal consequences for non-compliance. Prime Minister Keir Starmer also said the government would seek new legal powers to update online safety rules more quickly.
French authorities searched X's Paris offices as part of an investigation into compliance with European digital safety law and the handling of illegal content linked to Grok-generated sexualized imagery. The raid was reported as occurring on 2026-02-03.
In January 2026, Apple privately told xAI that Grok could be pulled from the App Store unless it stopped generating nude and sexualized deepfakes, finding X and Grok in violation of App Store rules. Apple required a content moderation plan, rejected an initial remediation as insufficient, and later approved a revised submission after further changes.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
12 references tracked. Mallory keeps watching after this page renders.
therecord.media
Open sourcemacrumors.com
Open sourcesecurityaffairs.com
Open sourcelawfaremedia.org
Open sourcego.theregister.com
Open sourcehelpnetsecurity.com
Open sourcegovinfosecurity.com
Open sourcehelpnetsecurity.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.