The Irish data protection authority has opened a formal investigation into X following the use of Grok, the platform-linked artificial intelligence tool, to generate unconsensual sexual images of real people, including minors. The intervention of the Irish regulator is not a minor procedure: Ireland acts as the leading authority in the European Union for X as the European headquarters of the company therefore its conclusions can be translated into sanctions with effect throughout the European Economic Area. You can read the body's official note in its public release Here..
The focus of the research is the basic obligations of the General Data Protection Regulation (GDPR): if the European X subsidiary (X Internet Unlimited Company) acted in accordance with the principles of legal processing, applied design and default protection measures, and carried out the data protection impact assessments required by law for high-risk systems. In practical language: regulators want to know whether the risk of real damage - such as the creation of images that violate privacy or may constitute sexual abuse of minors - was valued and mitigated before the service was deployed.
Irish research is in addition to a battery of international research. The British data protection regulator (ICO) announced his own formal investigation in early February; the UK online security regulator, Ofcom, also launched an inquiry focused on sexualized image generation, and the California Attorney General opened a procedure in the United States. Links to these official ads are available on the pages of ICO, Ofcom and the office of the California Attorney General.
There have also been criminal proceedings in Europe: French prosecutors have registered X offices and are investigating whether Grok could generate material that constitutes child sexual exploitation or that disseminates criminal content as Holocaust denial. The press and international agencies have followed these movements, for example, Reuters has reported on the actions of the European Commission and the investigations in France.
Why does it matter so much that the DPC is the leading authority? When a European regulator is conducting a cross-cutting investigation under the GDPR, its decisions can be applied in all 27 Member States and in all three EEA countries. This means that if X is considered to have failed to comply with the rules, the penalty - and corrective measures - would have a European impact on the operation of the service., not just in a particular country.
In addition to the administrative dimension, there are commercial and reputational consequences. Fines under the GDPR can reach up to 4% of a company's annual global turnover, a roof that large technologies know can be painful. For its part, the ICO can impose significant fines in the UK: both frameworks have levers to force technical and governance changes in IA products.
On the technical and ethical level, the case replaces on the table questions that are not new but urgent: what controls should be implemented before allowing a model to generate images representing real people? Are there enough content filters and black lists, or do we need technical tests and external audits to ensure clear limits? The discussion revolves around shared responsibility between model designers, platforms that make them available and standards regulators.
The practical measures required by regulators often range from the conduct of impact assessments (PPIA) to the incorporation of technical safeguards, robust adversarial testing and clear reporting and rectification mechanisms. Researchers and auditors demand transparency on training data, model capabilities and risk assessments; regulators demand that all this be documented and operational before the general public interacts with tools capable of causing serious damage.
From the company involved, initial communications point to a dialogue with the authorities. The official tone of the Irish regulator indicates that this interaction will continue as the investigation takes place. But the course of the inquiry could lead to requirements for product modification, functionality limitations or, ultimately, economic sanctions to force the reconfiguration of how and to whom the technology is offered.
For the public and technology professionals, this case is a wake-up call. It is not just a legal conflict; it is a real-time experiment on how to integrate powerful IA systems into mass services without disprotecting people. Decisions made by DPC, ICO, Ofcom, the European Commission and other actors will be a precedent on the governance of generative models and on what is considered a responsible deployment.
As investigations move forward, information from official sources and reliable means should be followed. To consult the communiqués and the actions already announced, here are the links of the Irish regulator DPC, of ICO, of Ofcom, of California Attorney General and international reports such as Reuters. We will keep an eye on how these investigations end and what lessons they leave for the responsible design of artificial intelligence.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...