Formal investigations have been launched into whether Elon Musk’s X and xAI have complied with data protection law after chatbot Grok was used to create sexualised deepfake images.
The Information Commissioner’s Office (ICO) confirmed it has opened the investigations on Tuesday afternoon. In a statement, it said the reports raised “serious concerns” under UK data protection laws, such as whether “appropriate safeguards were built into Grok’s design and deployment”.
It comes after outrage over Grok’s ability to digitally ‘strip’ victims without their consent, generating deepfake images of them nude or in minimal clothing. Women told The Independent they had been left feeling “violated and humiliated” after the “dehumanising” images were created by the chatbot.
X has since said it has brought in measures to address the issues raised.
William Malcolm, executive director regulatory risk and innovation at the ICO said the office is “working closely with Ofcom” and other regulators to “ensure that people’s safety and privacy are protected”.
He added the loss of personal data in this way “can cause immediate and significant harm”.
In January, technology secretary Liz Kendall encouraged Ofcom to use “the full range of its powers” under the Online Safety Act after the regulator announced an investigation into whether X has complied with UK laws.
In a previous statement, Ofcom said it will determine whether X “has complied with its duties to protect people in the UK from content that is illegal”.
The regulator said unlike the ICO, it was not investigating xAI, which provides the standalone Grok chatbot app.
Ministers brought forward legislation to ban generating sexual deepfake images without consent following outrage over the chatbot. Following the ban, Sir Keir Starmer said X must act to comply with UK laws “immediately” and that “young women’s images are not public property, and their safety is not up for debate”.
In a statement released on Tuesday, Mr Malcolm said: “The reports about Grok raise deeply troubling questions about how people’s personal data has been used to generate intimate or sexualised images without their knowledge or consent, and whether the necessary safeguards were put in place to prevent this. Losing control of personal data in this way can cause immediate and significant harm. This is particularly the case where children are involved.
“Our role is to address the data protection concerns at the centre of this, while recognising that other organisations also have important responsibilities. We are working closely with Ofcom and international regulators to ensure our roles are aligned and that people’s safety and privacy are protected. We will continue to work in partnership as part of our coordinated efforts to create trust in UK digital services.
“Our investigation will assess whether XIUC and X.AI have complied with data protection law in the development and deployment of the Grok services, including the safeguards in place to protect people’s data rights. Where we find obligations have not been met, we will take action to protect the public.”
