UK ICO Opens Formal Investigation into Grok AI for Personal Data Violations, UK, February 2026

On February 3, 2026, the UK Information Commissioner's Office opened formal investigations into X Internet Unlimited Company and X.AI LLC covering their processing of personal data in relation to the Grok AI system. The investigations follow reports that Grok was used to generate non-consensual sexual imagery, including of children. The action is at the investigation stage; no enforcement notice or fine has been issued. The ICO will not comment further while the investigation proceeds.

The controlling authority is the UK GDPR and the Data Protection Act 2018. The ICO may issue fines of up to 17.5 million GBP or 4% of an organisation's annual worldwide turnover, whichever is higher. The investigation assesses whether personal data was processed lawfully, fairly, and transparently; whether individuals' data protection rights can be exercised effectively; whether risks to people — particularly children and vulnerable groups — were identified and mitigated; and whether high-risk processing involving synthetic or manipulated imagery used a Data Protection Impact Assessment. The ICO is coordinating with Ofcom under the Digital Regulatory Cooperation Forum.

AI developers and platform operators offering services to UK users must establish lawful bases for personal data processing, implement privacy-by-design principles from development through to deployment, and conduct Data Protection Impact Assessments for high-risk processing — including any generation of synthetic imagery using identifiable personal data. AI providers outside the UK who target UK users remain subject to UK GDPR's extraterritorial scope under Article 3. This investigation signals that AI-generated harmful content constitutes a potential UK GDPR breach requiring active risk mitigation.

No determination has been made on whether UK GDPR has been infringed. Enforcement action, if any, will follow after the ICO's assessment, representations from X Internet Unlimited Company and X.AI, and a formal decision. Parallel Ofcom proceedings under the Online Safety Act 2023 address the online safety dimension separately. Open questions remain about how the ICO will define the scope of "personal data" used to train the model versus data generated as outputs.

Our firm advises AI developers, platform operators, and technology companies on UK GDPR compliance and data protection obligations, and maintains a dedicated partner network for UK and EU data protection matters. We are available to assist with AI system compliance reviews, Data Protection Impact Assessments for generative AI, and regulatory investigation response. Our work covers UK GDPR compliance, AI Act data governance, generative AI risk assessment, ICO investigation response, data protection impact assessments, and online safety law.

Source: ICO, "ICO announces investigation into Grok," Statement, February 3, 2026, https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/02/ico-announces-investigation-into-grok/

The information provided is not legal, tax, investment, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your own legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be automatically generated. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information.