The Information Commissioner’s Office has announced formal investigations into X Internet Unlimited Company (XIUC) and X.AI LLC over concerns that the Grok artificial intelligence system has been used to generate harmful sexualised imagery without consent.
The UK’s data protection regulator said it opened the investigation following reports that Grok has been used to create non-consensual sexual images of individuals, including children. The reported creation and circulation of such content raises serious concerns under UK data protection law, the ICO said.
The investigation will examine whether personal data has been processed lawfully, fairly and transparently, and whether appropriate safeguards were built into Grok’s design and deployment to prevent the generation of harmful manipulated images.
William Malcolm, the ICO’s Executive Director of Regulatory Risk and Innovation, said: “The reports about Grok raise deeply troubling questions about how people’s personal data has been used to generate intimate or sexualised images without their knowledge or consent, and whether the necessary safeguards were put in place to prevent this.”
“Losing control of personal data in this way can cause immediate and significant harm. This is particularly the case where children are involved,” Malcolm said.
“Our role is to address the data protection concerns at the centre of this, while recognising that other organisations also have important responsibilities. We are working closely with Ofcom and international regulators to ensure our roles are aligned and that people’s safety and privacy are protected. We will continue to work in partnership as part of our coordinated efforts to create trust in UK digital services.”
The regulator confirmed it is coordinating with Ofcom, which launched its own investigation into X in January under the Online Safety Act, examining whether the platform failed to protect users from illegal content.
The ICO’s announcement follows a statement on 7 January in which it confirmed contact with both companies to seek urgent information about the reports.
Reports emerged in late December 2025 that Grok’s image editing feature allowed users to modify photographs to remove or alter clothing, generating sexualised imagery without the subject’s knowledge or consent. The Internet Watch Foundation, a UK-based child safety organisation, subsequently confirmed its analysts had discovered criminal imagery of children aged between 11 and 13 which appeared to have been created using the tool.
X has since implemented measures to prevent Grok from being used to create intimate images, though both investigations remain ongoing.
Malcolm said: “Our investigation will assess whether XIUC and X.AI have complied with data protection law in the development and deployment of the Grok services, including the safeguards in place to protect people’s data rights. Where we find obligations have not been met, we will take action to protect the public.”
The ICO confirmed it will not provide further comment while the investigation proceeds.
