Rb. Amsterdam - C/13/783613 / KG ZA 26-120
Dutch court bans X's Grok from generating non-consensual intimate and CSAM imagery.
Summary
The District Court of Amsterdam issued a preliminary relief order prohibiting X Internet Unlimited Company from generating and distributing non-consensual intimate images and child sexual abuse material (CSAM) through its Grok AI chatbot. Stichting Offlimits documented approximately 3 million sexualized images generated between December 2025 and January 2026, including ~23,000 depicting children. The court found X liable under GDPR for unlawful personal data processing and violation of privacy rights, rejecting X's defense that users, not the platform, were responsible for image generation.
Full text
Help Rb. Amsterdam - C/13/783613 / KG ZA 26-120: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Latest revision as of 09:12, 31 March 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators530 edits Tag: submission [1.0] (No difference) Latest revision as of 09:12, 31 March 2026 Rb. Amsterdam - C/13/783613 / KG ZA 26-120 Court: Rb. Amsterdam (Netherlands) Jurisdiction: Netherlands Relevant Law: GDPR (no specific Articles mentioned)Article 6:162(2) BW Decided: 26.03.2026 Published: 26.03.2026 Parties: X.AI LLC X CORP. X INTERNET UNLIMITED COMPANY National Case Number/Name: C/13/783613 / KG ZA 26-120 European Case Law Identifier: ECLI:NL:RBAMS:2026:3106 Appeal from: Appeal to: Unknown Original Language(s): Dutch Original Source: de Rechtspraak (in Dutch) Initial Contributor: ap A court banned X from generating and distributing non consensual intimate and child sexual abuse material (CSAM) through Grok, and prohibited X from offering Grok functionalities as long as the violations occurred. This was part of preliminary relief proceedings. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts X Internet Unlimited Company (XIUC, the controller) is a social media company that provides the generative AI chatbot Grok. This LLM is trained and maintained by the controller, and is available as a standalone app or feature on the social media platform. One of the tasks that Grok does is generating visual content, where users can request the LLM to generate and/or edit images. Stichting Offlimits (a non profit organisation) estimated that Grok had generated approximately 3 million sexualised images between December 29 2025 and January 9 2026, of which approximately 23,000 depicted children. The controller had later restricted the feature to paid members, and announced measures to prevent the Grok account on X from editing images of real people. In January 2026 the EU Commission announced that it was launching an investigation on whether the controller met its obligations under the Digital Services Act (DSA) relating to the dissemination of illegal content in the EU. In February 2026 Stichting Offlimits filed a motion for preliminary relief before the court, requesting that the court prohibit the controller from generating and/or distributing sexual imagery through the image generating functionality. This was the case for non consensual imagery and imagery classified as child pornography under national law. In addition, the organisation requested the court to prohibit the controller from offering Grok’s functionality as part of its platform as long as it allows users to generate these images. The organisation argued that creating and distributing non consensual nude images was unlawful processing of personal data under the GDPR. The controller argued that it was impossible to generate these images, and that it implemented technical safeguards to prevent users from circumventing the restrictions on generating images. Finally, the controller agued that it was the user who generated the images, and that Grok was a tool. Holding The court first clarified that it was competent to hear the case. Under the GDPR, XIUC is the controller for the processing of personal data of data subjects in The Netherlands. Article 79(2) GDPR allows for proceedings to (also) be brought where the data subject (or the organisation) habitually resides. The court also had jurisdiction based on Article 7(2) of the Brussels I-bis Regulation, since the alleged damage from the controller’s alleged tortious conduct happened in The Netherlands. The court stated that it was competent within courts in The Netherlands, as it was sufficiently plausible that the alleged harm also took place in Amsterdam. Finally, the court joined the claims brought by the organisation against XIUC and the US entity X.AI LLC and X CORP, based on considerations of efficiency under national procedural law. p. 9 In terms of substance, the court first stated that it was undisputed that the controller processed personal data in its image generating feature. The court then stated that the organisation had provided sufficient evidence in demonstrating that the feature violated data subjects’ GDPR and privacy rights; in its submissions, the organisation showed that Grok generated images of data subjects without verifying whether consent had been obtained. The court considered that the controllers had not implemented sufficient safeguards, and questioned the effectiveness of the measures it had implemented. The legal status of the evidence of child sexual abuse material (CSAM) on the platofrm, was in the court’s view, more complicated to determine. The court stated that the specific image submitted by the organisation did not show explicit nudity, and it was not evident that the person was a minor or a real person. Nonetheless, the court concluded that it was not necessary to determine the legal status of the image, as the organisation sufficiently demonstrated that Grok users can push boundaries when generating images. This means that whether CSAM is involved depends on the context, and that the controller had similarly not implemented sufficient measures to prevent this. The court granted the preliminary relief claims, as the non consensual images violated the GDPR, and that the (facilitation of) generating CSAM violated the national Civil Code. The court found that it was sufficiently plausible that the controllers unlawfully and culpably contribute to a climate of online inappropriate behaviour, and that the organisation has sufficient urgent interest. The court dismissed the controllers’ arguments in relation to the user being responsible, as the controllers were the intermediaries that controlled the functionalities of Grok. Comment The applicable law in this case is both the GDPR and the Rome II Regulation. The court stated that Dutch law applies, based on Article 14 of the Rome II Regulation. Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details. This ruling has been pseudonymized in accordance with the Pseudonymization Directive ECLI:NL:RBAMS:2026:3106 Share ruling Institution Amsterdam District Court Date of ruling 26-03-2026 Date of publication 26-03-2026 Case number C/13/783613 / KG ZA 26-120 Areas of law Civil law Special features Summary proceedings Content indication The Amsterdam preliminary relief judge prohibits Grok and X from generating and distributing images of stripping and child pornography. The prohibition applies to images of persons residing in the Netherlands and to the production and distribution of images in the Netherlands. Sources Rechtspraak.nl Enriched judgment Judgment Amsterdam DISTRICT COURT Civil law, preliminary relief judge Case number: C/13/783613 / KG ZA 26-120 EAM/JD Judgment in summary proceedings of March 26, 2026 in the case of STICHTING OFFLIMITS, in Amsterdam, claimant by identical summonses on a shortened term of February 24, 2026, hereinafter referred to as: Offlimits, attorney: Mr. O.M.B.J. Volgenant and Mr. K. Han. against the company incorporated under foreign law 1. X.AI LLC. in Palo Alto, California, United States of America, hereinafter referred to as: X.AI, the company incorporated under foreign law 2. X CORP. at Bastrop, Texas, United States of America, hereinafter referred to as: X, the company incorporated under Irish law 3. X INTERNET UNLIMITED COMPANY at Dublin, Ireland, hereinafter referred to as: XIUC, defendants, Mr. A. Knigge, Mr. J.G. Reus, and Mr. P.M.A. Franssen. 1 The proceedings At the hearing of March 12, 2026, Offlimits explained the claims as described in the summons. The defendants presented their defense based on