Ireland opens GDPR probe into X's Grok over non-consensual image generation

Ireland's Data Protection Commission has opened a formal probe into X's Grok AI over reports it generated non-consensual nude or nearly nude images, according to The Register. The inquiry is being carried out under section 110 of the Data Protection Act 2018 and will examine possible breaches of GDPR Articles 5, 6, 25 and 35 as well as broader obligations that apply to AI-driven image features.

What the DPC is probing

The DPC is acting as a lead EU regulator in a case that has already drawn scrutiny from multiple national and supranational authorities, including the European Commission, the UK Information Commissioner’s Office, Ofcom and French regulators, as well as several non-EU jurisdictions. Regulators are focusing on whether Grok produced sexualised depictions of real people without consent, and how X implemented safeguards, data protection by design and impact assessments for an image-generation feature. X responded to mounting inquiries by restricting Grok image generation first for free users and then for all users, but the probe will determine whether that reaction addresses potential GDPR violations or whether corrective orders and fines are warranted.

The investigation is taking place in the context of overlapping regulatory frameworks. Authorities are not only invoking GDPR provisions that govern lawful processing and privacy by design, they are also using digital safety laws such as the Digital Services Act and national online safety rules to assess risks to fundamental rights. That combination raises the bar for how platforms deploy generative image capabilities in the EU and potentially sets precedent for international enforcement coordination.

Implications for EU tech

Heightened enforcement increases compliance costs for any organisation that builds or integrates generative image models, but it also creates a market opportunity for vendors that bake privacy and safer defaults into their products. European providers and GDPR-compliant offerings can claim clearer legal footing and stronger recourse for affected users, which matters for enterprise customers and public sector buyers deciding between US platforms and EU alternatives. At the same time, rapid feature rollouts by large platforms may continue to outpace rulemaking and enforcement, producing a cycle of reactive restrictions followed by legal scrutiny.

For users and procurement teams, the probe underscores a practical trade-off. Services that prioritise aggressive innovation in generative features may offer capabilities earlier, but those same services now face real enforcement risk in Europe. Conversely, tools that default to safer settings, require explicit consent for image processing of real people and publish thorough data protection impact assessments should become more attractive to risk-averse organisations.

What You Should Do

If your team builds or buys generative image technology, treat this probe as a compliance wake-up call. Perform a documented data protection impact assessment and map any processing that could identify or depict real people. Adopt privacy by design, which means defaulting image generation options to safer modes, requiring explicit consent for processing of images that could be sexualised and keeping auditable logs for content moderation decisions. Monitor enforcement from the DPC and parallel investigations under the Digital Services Act and national online safety laws, and be prepared to implement geofencing or temporary feature restrictions for EU users if advised by counsel.

For procurement and risk teams, include contractual obligations that require suppliers to maintain DPIAs, provide transparency on model training data and support rapid mitigation steps if regulators intervene. For product teams, prioritise guardrails that reduce the likelihood of non-consensual imagery, and make those technical and governance choices visible to customers.

The DPC's determination will be closely watched across Europe, and coordinated findings from the DPC, the European Commission and national regulators could define practical limits for image-generation features under GDPR and digital safety rules. Watch for those decisions and for guidance that clarifies what constitutes adequate safeguards for generative image tools.

Sources

The Register: Ireland DPC probe into X's Grok AI

Element Blog: The Digital Omnibus, opportunities and risks for open source

EDRi: Reopening GDPR and ePrivacy through the Digital Omnibus

EDRi: Ensuring human-rights based global perspectives in DSA enforcement

Watch for the DPC's findings and any coordinated enforcement steps under the DSA and related national regulators next.