Canada privacy commissioner faults xAI over Grok deepfake safeguards
Canada's privacy commissioner, Philippe Dufresne, said xAI violated federal private-sector privacy law by launching Grok's image-generation tool without adequate safeguards against sexualised deepfake images, according to a report released on 11 June 2026. The finding does not itself carry a fine or binding order under Canada's current PIPEDA framework, but the commissioner said xAI has committed to monitoring for sexualised deepfakes proactively rather than only after complaints. The case matters beyond Canada because it treats an AI image generator's design choices as a privacy and safety issue, not only a content-moderation problem. In Europe, the same risk sits at the intersection of the Digital Services Act, GDPR-style data-protection duties and the AI Act's synthetic-content transparency rules. For Belgian users, schools, public figures and businesses on X, the practical question is whether platform safeguards arrive before reputational or personal harm spreads.
Belgian residents, parents, students, public figures, journalists and SMEs use the same global platforms that Canadian regulators are now scrutinising. The immediate harm is personal: an image can be generated, shared and indexed before a victim knows it exists. For Belgian companies and public bodies, the case is a compliance signal because the European Commission and national data-protection authorities can frame similar failures under EU platform, privacy and AI rules. It also matters to voters because synthetic sexual abuse can deter women and young people from public life.
Grok (xAI's chatbot and image-generation product, integrated with X and launched after Elon Musk founded xAI in 2023) is the product at the centre of the finding. xAI (Elon Musk's artificial-intelligence company, incorporated in the United States in 2023) develops Grok and related models. Elon Musk (South African-born US entrepreneur who owns X and leads Tesla, SpaceX and xAI) is the controlling public figure behind the company. Philippe Dufresne (Canada's privacy commissioner since 2022) heads the federal watchdog that enforces privacy law through an ombudsman model. PIPEDA (Canada's Personal Information Protection and Electronic Documents Act, in force since 2001) governs private-sector handling of personal information in commercial activity. X (formerly Twitter, renamed after Musk's 2022 acquisition) is the social platform where Grok has been deployed. The Digital Services Act (EU platform-safety regulation adopted in 2022) gives the European Commission oversight of very large online platforms. The EU AI Act (Regulation 2024/1689) adds transparency duties for AI-generated or manipulated content.
Background
Deepfake pornography emerged from machine-learning communities in the late 2010s, but the regulatory focus shifted after generative AI made image manipulation available to ordinary users. The European Union adopted the Digital Services Act in 2022 and designated X as a very large online platform in 2023, creating systemic-risk duties for illegal content and user protection. The EU AI Act entered into force in 2024 and its Article 50 transparency obligations for synthetic audio, image, video and text become applicable in 2026. Researchers Will Hawkins, Chris Russell and Brent Mittelstadt found in 2025 that public deepfake model variants had become widely downloadable, showing why platform-level safeguards matter.
Why now
The trigger is the Canadian privacy commissioner's 11 June 2026 report, which followed a January probe into Grok's image-generation safeguards and landed amid wider litigation and regulatory scrutiny of sexualised AI deepfakes.
What to watch
Watch whether xAI publishes concrete monitoring measures, whether Canadian lawmakers use the case to revisit PIPEDA enforcement powers, and whether EU regulators connect Grok's image-generation risks to DSA systemic-risk duties or AI Act transparency obligations before August 2026.
Opposing perspectives
- Canada privacy commissioner
The commissioner's frame is that Grok's launch design created privacy risk from the outset. In this view, the relevant question is not only whether xAI removed images after complaints, but whether the company built adequate safeguards before enabling realistic image manipulation of identifiable people.
- xAI / platform-operator defence
xAI's strongest available defence is procedural and remedial: the company can argue that it restricted harmful image generation, moved features behind tighter controls and committed to monitoring abuse proactively. That frame treats the Canadian finding as a compliance gap being corrected rather than proof that the product should be removed.
- EU digital-safety regulators
The EU regulatory frame is broader than one product. Under the Digital Services Act and AI Act, the issue is whether very large platforms and AI providers assess systemic risks, label synthetic content and reduce foreseeable harms before illegal or abusive material spreads across borders.
Sources & evidence
- Al Jazeera / Reuters - Musk's Grok accused of violating Canadian privacy laws on deepfakes · 2026-06-11
- The Guardian - New claimants seek to sue Elon Musk's xAI after Labour MP's test case · 2026-06-05
- The Guardian - EU launches inquiry into X over sexually explicit images made by Grok AI · 2026-01-26
- Regulation (EU) 2022/2065 - Digital Services Act · 2022-10-27
- Regulation (EU) 2024/1689 - Artificial Intelligence Act · 2024-07-12
- Will Hawkins, Chris Russell and Brent Mittelstadt, Deepfakes on Demand: the rise of accessible non-consensual deepfake i · 2025-05-06
- Li Qiwei et al., Reporting Non-Consensual Intimate Media: An Audit Study of Deepfakes, 2024 · 2024-09-18
