Rb. Amsterdam - C/13/783613 / KG ZA 26-120
Dutch court bans X's Grok from generating non-consensual intimate and CSAM imagery in Netherlands.
Summary
A Dutch court issued a preliminary injunction against X (via Irish entity X Internet Unlimited Company and US X.AI LLC) prohibiting Grok from generating, editing, or distributing non-consensual intimate imagery and child sexual abuse material (CSAM) in the Netherlands. The ruling found that Grok had generated approximately 3 million sexualized images between late December 2025 and early January 2026, including ~23,000 depicting children, and that X's safeguards were insufficient under GDPR and Dutch civil law. The injunction also bars X from offering Grok's image generation functionality as long as such violations persist.
Full text
Help Rb. Amsterdam - C/13/783613 / KG ZA 26-120: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 14:10, 31 March 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators539 editsmTag: Visual edit← Older edit Latest revision as of 10:03, 1 April 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators539 editsmTag: Visual edit Line 68: Line 68: }}}} A court banned X from generating and distributing non consensual intimate and child sexual abuse material (CSAM) through Grok in The Netherlands, and prohibited X from offering Grok functionalities as long as the violations occurred. This was part of preliminary injunction proceedings.In a preliminary injunction proceeding, a court banned the social media platform X from generating and distributing non-consensual intimate and child sexual abuse material through Grok in the Netherlands, and prohibited X from offering Grok functionalities as long as the violations occurred. == English Summary ==== English Summary == === Facts ====== Facts === X (composed of US entities X.AI LLC, X CORP and Irish entity X Internet Unlimited Company, the controller) is a social media platform that provides the generative AI chatbot Grok. It is available as a standalone app or feature on the social media platform. One of the tasks that Grok does is generating visual content, where users can request the LLM to generate and/or edit images. Stichting Offlimits (a non profit organisation) estimated that Grok had generated approximately 3 million sexualised images between December 29 2025 and January 9 2026, of which approximately 23,000 depicted children. The controller had later restricted the feature to paid members, and announced measures to prevent the Grok account on X from editing images of real people. In January 2026 the EU Commission announced that it was launching an investigation on whether the controller met its obligations under the Digital Services Act (DSA) relating to the dissemination of illegal content in the EU.X is a social media platform. X.AI LLC (a US company) is the provider of the generative AI chatbot Grok. X Internet Unlimited Company (XIUC) is the Irish entity that operates the platform in the European Economic Area and the UK (outside of these regions it is provided by X Corp, a US corporation). For GDPR purposes, XIUC is the controller in this case. One of the tasks that Grok does is generating visual content, where users can request the LLM to generate and/or edit images. Stichting Offlimits (a non profit organisation) estimated that Grok had generated approximately 3 million sexualised images between December 29 2025 and January 9 2026, of which approximately 23,000 depicted children. The controller later restricted the feature to paid members, and announced measures to prevent the Grok account on X from editing images of real people. In January 2026 the EU Commission announced that it was launching an investigation on whether the controller met its obligations under the Digital Services Act (DSA) relating to the dissemination of illegal content in the EU. In February 2026 Stichting Offlimits filed preliminary injunction before the court, requesting that the court prohibit the controller from generating and/or distributing sexual imagery through the image generating functionality. This was the case for non consensual imagery and imagery classified as child pornography under national law. In addition, the organisation requested the court to prohibit the controller from offering Grok’s functionality as part of its platform as long as it allows users to generate these images. The organisation brought claims based on tort and violations of the GDPR; specifically it argued that creating and distributing non consensual nude images was unlawful processing of personal data under the GDPR. The controller argued that it was impossible to generate these images, and that it implemented technical safeguards to prevent users from circumventing the restrictions on generating images. Finally, the controller argued that it was the user who generated the images, and that Grok was a tool.In February 2026 Stichting Offlimits filed preliminary injunction before the court, requesting that the court prohibit the controller from generating and/or distributing sexual imagery through the image generating functionality. This was the case for non consensual imagery and imagery classified as child pornography under national law. In addition, the organisation requested the court to prohibit the controller from offering Grok’s functionality as part of its platform as long as it allows users to generate these images. The organisation brought claims based on tort and violations of the GDPR; specifically it argued that creating and distributing non consensual nude images was unlawful processing of personal data under the GDPR. The controller argued that it was impossible to generate these images, and that it implemented technical safeguards to prevent users from circumventing the restrictions on generating images. Finally, the controller argued that it was the user who generated the images, and that Grok was a tool. === Holding ====== Holding === The court first clarified that it was competent to hear the case. Under the GDPR, XIUC is the controller for the processing of personal data of data subjects in The Netherlands. [[Article 79 GDPR#2|Article 79(2) GDPR]] allows for proceedings to (also) be brought where the data subject (or the organisation) habitually resides. The court also had jurisdiction based on [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32012R1215 Article 7(2) of the Brussels I-bis Regulation], since the alleged damage from the controller’s alleged tortious conduct happened in The Netherlands. The court stated that it was competent within courts in The Netherlands, as it was sufficiently plausible that the alleged harm also took place in Amsterdam. Finally, the court joined the claims brought by the organisation against XIUC and the US entity X.AI LLC and X CORP, based on considerations of efficiency under national procedural law. The court first clarified that it was competent to hear the case. Under the GDPR, XIUC is the controller for the processing of personal data of data subjects in the Netherlands. [[Article 79 GDPR#2|Article 79(2) GDPR]] allows for proceedings to (also) be brought where the data subject (or the organisation) habitually resides. The court also had jurisdiction based on [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32012R1215 Article 7(2) of the Brussels I-bis Regulation], since the alleged damage from the controller’s alleged tortious conduct happened in the Netherlands. The court stated that it was competent within courts in the Netherlands, as it was sufficiently plausible that the alleged harm also took place in Amsterdam. Finally, the court joined the claims brought by the organisation against XIUC and the US entity X.AI LLC and X CORP, based on considerations of efficiency under national procedural law. In terms of substance, the court first stated that it was undisputed that the controller processed personal data in its image generating feature. The court then stated that the organisation had provided sufficient evidence in demonstrating that the feature violated data subjects’ GDPR and privacy rights; in its submissions, the organisation showed that Grok generated images of data subjects without verifying whether consent had been obtained. The court considered that the controller had not implemented sufficient safeguards, and questioned the effectiveness of the measures it had implemented.In terms of substance, the court first stated that it was undisputed that the controller processed personal data in its image generating feature. The court then stated that the organisation had provi