News release

Privacy Commissioner of Canada investigation into the Grok chatbot and sexualized deepfakes finds companies violated privacy law

June 11, 2026 – Ottawa, Ontario

An investigation by the Privacy Commissioner of Canada has found that Grok’s AI image-generation tool was launched without proper safeguards or sufficient consideration of potential privacy harms.

This lack of protections allowed users around the globe to create and share non-consensual, sexualized deepfakes, many targeting women and children.

In a report released today, Commissioner Philippe Dufresne found that X Corp. and xAI violated Canada’s federal private-sector privacy law.

The Commissioner initiated the investigation in January following reports that the Grok tool was being used to generate millions of sexualized deepfakes, which can have devastating consequences for victims.

After the issue came to public attention, and during the investigation, X and xAI introduced new measures, including safeguards to reduce the risk that their tool will be misused to produce sexualized deepfakes, and proactive sweeps to detect and remove this harmful content on their platforms.

While the Privacy Commissioner is encouraged by the measures that have been implemented, he has recommended additional action by the companies to further improve these measures and demonstrate their effectiveness in mitigating this issue.

In response, the companies have committed to, among other things, provide quarterly reports as well as independent third-party audit reports on improvements to safeguards with evidence to demonstrate their effectiveness. These reports are to be submitted until the issue of sexualized deepfakes is fully resolved.

The Office of the Privacy Commissioner of Canada (OPC) will continue to monitor the implementation of these commitments to ensure that the serious issues identified during the investigation are properly addressed.

This case underscores the critical importance of rigorously assessing and addressing privacy risks at the outset of any new initiative to prevent serious harm to individuals.

It also highlights the urgency of moving forward with reform of Canada’s federal private-sector privacy law.

The Government’s new national artificial intelligence strategy for Canada includes a commitment to modernize Canada’s federal private-sector privacy law to enshrine a fundamental right to privacy.

Under the current law, the Privacy Commissioner is not empowered to issue orders to ensure that organizations respect Canadians’ fundamental right to privacy.

Commissioner Dufresne has advocated for modernized legislation to address this gap. He has also recommended other amendments, including a new legal obligation for organizations to implement privacy by design and conduct privacy impact assessments for high-risk activities, as well as the ability to impose administrative monetary penalties for organizations that do not comply with privacy law.

On Wednesday, the Government tabled legislation that would introduce new safety requirements for social media services and AI chatbot services. The Commissioner welcomed these efforts to implement measures to make the online world a safer space for Canadians – and especially for children.

Quote

“The creation of non-consensual, sexualized deepfakes, often targeting women and children, can have devastating consequences for victims. Organizations have a responsibility and legal obligation to protect Canadians’ fundamental right to privacy.

While I am encouraged by the companies’ remedial actions to date, my Office will continue to monitor the implementation of the commitments that the companies have made to prevent and respond to these types of harmful activities on the platform. We will work to ensure that the serious issues highlighted in the investigation are fully addressed.

The Grok investigation highlights the need for modern privacy laws that are designed for a modern world and include administrative monetary penalties and the power to make orders to bring companies into compliance. Modernized privacy laws can support both innovation and privacy protection by establishing clear guardrails that ensure the responsible and trustworthy management of Canadians’ personal information.”

Philippe Dufresne
Privacy Commissioner of Canada

Related link

• Report of Findings: Commissioner-initiated complaints concerning X Corp.’s and X.AI LLC’s compliance with PIPEDA
• Statement by the Privacy Commissioner of Canada on investigation into Grok chatbot and sexualized deepfakes

Media contact

Office of the Privacy Commissioner of Canada
communications@priv.gc.ca