- The UK Information Commissioner’s Office opened a formal investigation on 3 February 2026 into X Internet Unlimited Company and X.AI LLC over Grok‘s processing of personal data.
- The probe was triggered by reports that Grok generated non-consensual sexual imagery of individuals, including children, using their personal data.
- ICO Executive Director William Malcolm said the reports raise “deeply troubling questions” about how personal data was used to create intimate images without consent.
- The communications regulator Ofcom launched a parallel investigation, marking the first time both UK regulators have simultaneously targeted the same AI system.
What Happened
The UK’s Information Commissioner’s Office (ICO) announced on 3 February 2026 that it had opened formal investigations into two entities behind the Grok AI chatbot: X Internet Unlimited Company (XIUC), which operates the X social media platform, and X.AI LLC, the artificial intelligence company founded by Elon Musk. The ICO’s announcement confirmed the investigations cover the processing of personal data in connection with Grok and its ability to produce what the regulator described as “harmful sexualised image and video content.”
The investigation followed initial contact on 7 January 2026, when the ICO became aware of reports that Grok had been used to generate non-consensual sexual imagery of real people, including minors. The regulator requested urgent information from both companies about what safeguards existed within the system.
On the same day, Ofcom — the UK’s online safety regulator — announced its own parallel investigation into X and Grok under the Online Safety Act.
Why It Matters
This is the first time the ICO and Ofcom have simultaneously opened investigations into the same AI product, signaling a coordinated regulatory approach to AI systems that handle personal data and public-facing content. The dual probe means X and xAI face scrutiny under both UK data protection law and online safety legislation at once.
William Malcolm, Executive Director of Regulatory Risk and Innovation at the ICO, stated: “The reports about Grok raise deeply troubling questions about how people’s personal data has been used to generate intimate or sexualised images without their knowledge or consent, and whether the necessary safeguards were put in place to prevent this.”
Information Commissioner John Edwards referenced the live investigation during his keynote at the IAPP UK Intensive conference in late February 2026, underscoring the seriousness the regulator attaches to the case.
Technical Details
The ICO’s investigation focuses on three specific areas under UK data protection law. First, whether personal data was processed lawfully, fairly, and transparently — meaning whether X users were adequately informed that their data might be used to train Grok’s image generation capabilities. Second, whether X.AI built appropriate safeguards into Grok’s design to prevent the system from generating manipulated intimate imagery. Third, whether the deployment process included adequate risk assessments for potential misuse.
Grok is integrated into the X platform, giving it access to public posts, images, and user profile data. The investigation will examine whether this integration created pathways for the AI to use personal photographs as source material for synthetic content without user consent.
Neither X nor xAI has issued a public response to the investigation as of April 2026.
Who’s Affected
The investigation directly concerns X users in the United Kingdom whose personal data — including photographs and profile information — may have been processed by Grok. The ICO’s particular concern is for individuals whose likenesses were used to generate sexualised content without consent, with additional emphasis on the risk to children.
The outcome could also set precedent for how AI companies operating in the UK must handle training data that contains identifiable personal information. Companies developing generative AI systems that process UK user data will be watching the investigation closely for signals about regulatory expectations around consent, safeguards, and data protection impact assessments.
What’s Next
The ICO has stated that no determination has been made regarding potential infringements, and outcomes will depend on the evidence gathered and the companies’ responses. Under UK GDPR, the ICO has the power to issue fines of up to £17.5 million or 4% of global annual turnover, whichever is higher. However, enforcement action — if any — could take months or longer. The parallel Ofcom investigation under the Online Safety Act adds a separate layer of regulatory risk for X, with its own potential penalties.
