Why UK Regulators are Investigating X and xAI

The UK's Information Commissioner's Office (ICO) has launched an official investigation into Elon Musk's social media platform X and its AI offshoot xAI. 

It comes after instances of xAI's chatbot Grok being used to generate non‑consensual sexual imagery of individuals, including children. 

It is currently illegal to share deepfakes of adults in the UK and the government is set to criminalise generating and requesting non-consensual, sexually-intimate images using AI.

Ofcom, the UK's regulatory and competition authority for broadcasting and the internet, has also revealed the next steps of its investigation into X and xAI, which was launched in January.

The grounds of ICO's investigation

The role of the ICO as a UK privacy investigator is to protect people's rights and hold organisations to account as they design and deploy AI technology.

With Grok users seemingly able to generate sexually explicit content of individuals, including under-18s, the ICO's concern is whether preventative safeguards were built into the platform.

The watchdog is set to examine how personal data is stored by content users and the platform itself, scrutinising the potential for it to cause harm.

William Malcolm, Executive Director of Regulatory Risk & Innovation at the ICO, said: "The reports about Grok raise deeply troubling questions about how people’s personal data has been used to generate intimate or sexualised images without their knowledge or consent, and whether the necessary safeguards were put in place to prevent this.

"Losing control of personal data in this way can cause immediate and significant harm. This is particularly the case where children are involved. 

"Our role is to address the data protection concerns at the centre of this, while recognising that other organisations also have important responsibilities. We are working closely with Ofcom and international regulators to ensure our roles are aligned and that people’s safety and privacy are protected. We will continue to work in partnership as part of our coordinated efforts to create trust in UK digital services.  

"Our investigation will assess whether XIUC [X Internet Unlimited Company] and xAI have complied with data protection law in the development and deployment of the Grok services, including the safeguards in place to protect people’s data rights. Where we find obligations have not been met, we will take action to protect the public."

X's response to scrutiny

In a statement, X said it had implemented global measures to prevent Grok from "allowing the editing of images of real people in revealing clothing such as bikinis" – impacting all users, including paid subscribers. 

The company also emphasised its "zero tolerance" for "any forms of child sexual exploitation, non-consensual nudity, and unwanted sexual content", but did not say any preventative technology is being used for this form of content.

X added: "Image creation and the ability to edit images via the [@]Grok account on X are now only available to paid subscribers globally. 

"This adds an extra layer of protection by helping to ensure that individuals who attempt to abuse the [@]Grok account to violate the law or our policies can be held accountable."

Ofcom's next steps

Ofcom has been in close contact with the Information Commissioner's Office and provided an update this week on its own ongoing formal investigation.

The media regulator said continues to work closely with the ICO and other regulators to "ensure tech firms keep users safe and protect their privacy". 

Ofcom stated that it is no longer investigating xAI, but is continuing to investigate whether X has broken the law. X is required by Ofcom to respond to legally-binding information requests in an "accurate, complete and timely way" – or face significant fines. 

The watchdog will "provide updates and will be as open as possible", adding that it typically takes months for such investigations to conclude.