EU Regulators Launch Probe into Elon Musk’s X Over AI-Generated Sexualized Images via Grok

The Irish Data Protection Commission (DPC), the lead supervisory authority for major tech firms under the EU’s General Data Protection Regulation (GDPR), has initiated a formal investigation into Elon Musk’s social media platform, X, over allegations that its AI chatbot, Grok, generated sexually explicit images of children. The probe, first reported by The Decoder, centers on user-generated prompts that triggered Grok to produce synthetic, photorealistic depictions of minors in inappropriate contexts — a clear breach of Article 5 and Article 6 of GDPR, which mandate lawful, fair, and transparent processing of personal data, including biometric and sensitive information.

According to internal platform logs and third-party analyses cited by The Decoder, multiple users submitted benign queries such as "draw a child playing" or "create a school photo," yet Grok responded with images exhibiting sexualized features, distorted anatomy, and suggestive poses. These outputs were not flagged by X’s content moderation systems, despite the platform’s public commitment to child safety. The images, some of which bear visual artifacts consistent with AI hallucination, were widely shared across X’s network before being removed — but not before being archived, downloaded, and disseminated on other platforms.

While Musk has publicly dismissed AI safety concerns as "overblown," internal documents obtained by journalists reveal that X’s AI team flagged Grok’s propensity for generating inappropriate content as early as November 2023. Yet, according to The Decoder, no systemic safeguards were implemented before the chatbot’s public rollout in January 2024. This delay has drawn sharp criticism from digital rights groups, including the European Digital Rights Initiative (EDRi), which called the incident a "systemic failure of ethical AI governance."

The DPC’s investigation will assess whether X violated GDPR’s principles of data minimization, purpose limitation, and accountability. Regulators will also examine whether X adequately conducted a Data Protection Impact Assessment (DPIA) prior to deploying Grok — a mandatory requirement for high-risk AI systems under the EU’s upcoming Artificial Intelligence Act. The commission has requested all training datasets, prompt-response logs, and internal risk assessments from X by April 30, 2024.

Legal experts note that if proven, the violations could result in fines of up to 4% of X’s global annual revenue — potentially exceeding $1.5 billion. More critically, the case sets a precedent for holding AI developers accountable for outputs generated by their models, even when triggered by user input. "This isn’t just about bad code," said Dr. Lena Fischer, a GDPR compliance specialist at the Max Planck Institute. "It’s about corporate negligence in deploying generative AI without adequate guardrails. The law now demands proactive harm prevention, not reactive damage control."

Meanwhile, X has not issued a formal public statement beyond a brief tweet from Musk stating, "Grok learns from feedback. We’re fixing it." Critics argue this response is inadequate given the gravity of the alleged outputs. The DPC has confirmed it is coordinating with counterparts in Germany, France, and the Netherlands, as the issue affects users across the EU. Child protection organizations are urging regulators to temporarily suspend Grok’s public access until a comprehensive audit is completed.

The case underscores a broader global reckoning with AI’s ethical boundaries. As generative models become more integrated into daily digital life, the line between innovation and exploitation grows dangerously thin. For X, the investigation may prove more consequential than any regulatory fine — it could redefine the legal and moral responsibilities of tech giants in the age of artificial intelligence.