RSS

Canadian Privacy Commissioner Findings on X.ai/Grok CSAM Deepfake Violations

bparsons1 pts0 comments

PIPEDA Findings #2026-004: Commissioner-initiated complaints concerning X Corp.’s and X.AI LLC’s compliance with PIPEDA - Office of the Privacy Commissioner of Canada

Skip to main content

Skip to "About this site"

Commissioner-initiated complaints concerning X Corp.’s and X.AI LLC’s compliance with PIPEDA

Table of Contents

Overview

Background

Corporate structure

Grok

Timelines regarding the generation of non-consensual sexual content

Impact of sexualized deepfakes

Methodology and Scope

Analysis

Jurisdiction

Issue 1: Did the respondents obtain valid consent to produce sexualized deepfakes of individuals?

Issue 2: Would a reasonable person consider it appropriate for the respondents to produce sexualized deepfakes of individuals?

Initial response to the concerns following the generation of sexualized deepfakes

Recommendations

Response to the recommendations

Conclusion

Footnotes

PIPEDA Findings #2026-004

June 11, 2026

Overview

In late December 2025 and early January 2026, multiple news organizations reported that the artificial intelligence (“AI”) chatbot Grok had generated, and publicly disclosed, millions of sexually explicit deepfakes of real and identifiable individuals. Following the growing concern, on January 15, 2026, the Privacy Commissioner of Canada (“OPC”) initiated two complaints against X Corp., the operator of the platform X, and X.AI LLC (“xAI”), the developer of the chatbot Grok (together “the respondents”), pursuant to subsection 11(2) of the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

Specifically, the investigation sought to determine i) whether X Corp. and xAI had obtained valid consent from individuals for the collection, use, and disclosure of their personal information to create explicit, sexualized deepfakes; and, ii) whether a reasonable person would consider the collection, use and disclosure of personal information for the purpose of an image generation service that is capable of producing explicit, sexualized deepfakes to be appropriate in the circumstances.

The OPC found that the two organizations had not obtained valid consent to collect, use, and disclose individuals’ personal information for the purpose of generating sexualized deepfakes, and that a reasonable person would consider this practice to be inappropriate in the given circumstances. Furthermore, while the respondents represented that they had performed a number of actions to address the concerns that Grok was being used to generate sexualized deepfakes (including improving their technical and organizational safeguards), the OPC found that their response to the widespread generation of such content was insufficient.

Therefore, with a view to bringing X Corp. and xAI into compliance with PIPEDA, the OPC shared its preliminary findings and made a number of recommendations to the respondents.

In their response to those preliminary findings and recommendations, X Corp. and xAI disagreed with our conclusions. They indicated that Child Sexual Abuse Material (“CSAM”) and Non-Consensual Intimate Imagery (“NCII”) have no place on their platforms and asserted that they are taking all reasonable steps necessary to prevent their occurrence and taking immediate action when such content comes to their attention.

While the OPC recognizes that X Corp. and xAI have now deployed a layered set of safeguards to reduce the risk that their tool will be misused to produce sexualized deepfakes, the OPC finds that the respondents have not, to date, demonstrated the effectiveness of these safeguards in fully mitigating this issue. In these circumstances, the OPC cannot conclude that the complaint is resolved at the time of writing this report. Consequently, the OPC considers this matter to be well-founded (and not resolved at the date of this report).

While the OPC is encouraged by the respondents’ commitments to implementing a number of privacy-protective measures in response to our recommendations, we will continue to monitor the implementation of these commitments to ensure that the serious issues highlighted in this report are fully addressed.

Background

Corporate structure

xAI is an AI company which is registered in the United States and the developer of the generative AI chatbot “Grok”.

X Corp. is a technology company responsible for the provision of the social media platform X to Canadian users. It is registered in the United States and has a registered company in Canada (X Internet Canada ULC).

Both X Corp. and xAI have holding companies (X Holding Corp. and XAI Corp. respectively), which on March 28, 2025, became wholly owned “sister” subsidiariesFootnote 1 under X.AI Holdings Corp. On February 2, 2026, X.AI Holdings Corp. and Space Exploration Technologies Corp. (SpaceX) effected a transaction pursuant to which SpaceX became the direct parent company of X.AI Holdings Corp. The xAI and X Corp. companies’ corporate structures have remained unchanged.

Grok

Grok was...

corp deepfakes sexualized grok respondents pipeda

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.