UK Privacy Watchdog Investigates Elon Musk's X and xAI Over Grok AI Sexual Deepfakes

Elon Musk’s social media platform X and its affiliated company xAI are under formal investigation by the UK’s Information Commissioner’s Office (ICO) following the emergence of sexual deepfake images generated by their Grok AI tool without individuals’ consent. The ICO is examining whether these companies have violated the General Data Protection Regulation (GDPR), the UK’s strict data protection law. Concerns center on the creation and dissemination of indecent deepfake images on social media, raising questions about whether proper safeguards were incorporated into Grok’s design and deployment to protect personal data.

The investigation follows reports that Grok AI produced approximately three million sexualized images in under two weeks, including around 23,000 images depicting children. These disturbing revelations prompted French prosecutors to raid X’s Paris headquarters as part of a related investigation into alleged offenses such as the distribution of child abuse images and sexually explicit deepfakes. Public backlash intensified after the platform’s Grok AI account was used to mass-produce partially nudified images of girls and women, while the standalone Grok app also facilitated the generation of sexual deepfakes.

The ICO’s executive director of regulatory risk and innovation, William Malcolm, highlighted the serious implications of using personal data to create intimate or sexualized images without consent. He emphasized that such misuse can cause immediate and significant harm, especially when children are involved. Under GDPR, personal data—including images—must be processed fairly, lawfully, and transparently, with individuals informed about how their data is used. Violations can lead to hefty fines of up to £17.5 million or 4% of a company’s global turnover. Although X’s exact revenues are undisclosed, market estimates suggest it earned $2.3 billion in advertising revenue last year, implying potential fines could reach around $90 million.

Legal experts have underscored the gravity of the situation. Iain Wilson, managing partner at Brett Wilson law firm, described the alleged use of photographs to generate non-consensual sexual imagery as a severe breach of data protection law, particularly when identifiable individuals or children are involved. The investigation also comes amid corporate changes, as X and xAI have been merged into Musk’s SpaceX rocket business, complicating oversight.

Meanwhile, the UK communications regulator Ofcom is conducting a separate inquiry into X but has clarified it is not currently investigating xAI’s standalone Grok app. Ofcom noted that not all chatbot activities fall under the Online Safety Act, which governs platforms like X. For instance, chatbots interacting with a single user may be exempt, though providers of pornographic content are covered. Ofcom is considering whether xAI has complied with age-gating regulations for adult content, which could broaden the scope of its investigation.

These developments highlight the challenges regulators face in policing AI-generated content, especially when it involves sensitive personal data and potential harm to vulnerable individuals. The case underscores the urgent need for robust safeguards and transparent data practices in AI tools to prevent misuse and protect privacy rights in an increasingly digital world.