Elon Musk’s
The Information Commissioner’s Office is investigating whether the social media platform and its parent broke data protection law GDPR.
It said the creation and dissemination of the images on social media raised serious concerns under the UK’s data regime, such as whether “appropriate safeguards were built into the design and deployment of Grok”.
The move came as French prosecutors raided X’s Paris headquarters as part of an investigation into alleged crimes including the dissemination of child abuse images and sexually explicit deepfakes.
X became the subject of heavy public criticism in December and January when the platform’s account for the Grok AI tool was used to mass-produce partially nude images of girls and women. The standalone Grok app was also used to generate erotic deepfakes.
X and XAI announced measures to combat abuse, but this was followed by numerous regulatory and legal investigations. Both companies have been contacted for comment.
William Malcolm, executive director of regulatory risk and innovation at the ICO, said: “The reports about Grok raise deeply disturbing questions about how people’s personal data has been used to create intimate or sexual images without their knowledge or consent, and whether the necessary safeguards were in place to prevent this.
“Losing control over personal data in this way can cause immediate and significant harm. This is particularly the case where children are involved.”
The GDPR requires that people’s data, including their images, be managed in a fair, lawful and transparent manner – and that they be informed about how their data is used.
Violations of the GDPR could result in fines of up to £17.5 million or 4% of global turnover. X’s revenues are not public, but market research company eMarketer estimated it was expected to make $2.3bn (£1.7bn) in advertising last yearThat would equate to a fine of approximately $90 million.
Ian Wilson, managing partner of law firm Brett Wilson, said: “The ICO investigation raises serious questions about the nature of AI-generated imagery and how it is sourced. If photographs of living persons have indeed been used to generate non-consensual sexual imagery, it is difficult to imagine a more serious breach of data protection law.
“This is especially the case when the subjects are identifiable or children.”
According to researchers, the Grok AI generated nearly 3 million sexually explicit images in less than two weeks, including 23,000 that depicted children.
The
In a separate statement, Ofcom, the UK’s communications regulator, said it was not investigating xAI, which provided the standalone Grok app.
Ofcom also said that its investigation into Ax’s case was still gathering evidence and that the investigation could take several months.
The company has taken steps to address the issue and should be given “full opportunity to report”.
Asked why it was not investigating XAI, the statement said not all chatbot activities are covered under the Online Safety Act, the law that covers sites like XAI. For example, if a chatbot interacts with one person and not with any other user, it is not within the scope of the Act.
However, pornography providers are covered by the Act, leaving Ofcom a potential avenue to widen the scope of its investigations. It said it was considering investigating whether xAI complied with rules requiring age-limiting of pornographic content.
Meanwhile a cross-party group of MPs, led by Labour’s Anneliese Dodds, has written to the technology secretary, Liz Kendall, urging the government to introduce AI legislation to prevent a repeat of the Grok scandal. The law will require AI developers to fully assess the risks posed by their products before releasing them.
Dodds said, “If proper testing and risk assessment had been carried out the scam would not have happened in the first place. This episode shows that existing safeguards are not sufficient.”
A spokesperson for the Department of Science, Innovation and Technology said: “We have strengthened the Online Safety Act so that services have to take proactive action to tackle this content. And we will ban the supply of tools designed to create non-consensual intimate images – targeting the problem at its source.”
