[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ftI2XO6bBLEOPSvugR_DmSkBgX7Udx2gc65B9hPAvQiQ":3},{"article":4,"iocs":43},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":18,"category":19,"article_tags":22},"a71f663b-7a44-412d-ba8f-0fa543ebee41","Rb. Amsterdam - C\u002F13\u002F783613 \u002F KG ZA 26-120","rb-amsterdam-c-13-783613-kg-za-26-120-3","← Older revision Revision as of 10:03, 1 April 2026 Line 68: Line 68: }} }} A court banned X from generating and distributing non consensual intimate and child sexual abuse material (CSAM) through Grok in The Netherlands, and prohibited X from offering Grok functionalities as long as the violations occurred. This was part of preliminary injunction proceedings. In a preliminary injunction proceeding, a court banned the social media platform X from generating and distributing non-consensual intimate and child sexual abuse material through Grok in the Netherlands, and prohibited X from offering Grok functionalities as long as the violations occurred. == English Summary == == English Summary == === Facts === === Facts === X (composed of US entities X.AI LLC, X CORP and Irish entity X Internet Unlimited Company, the controller) is a social media platform that provides the generative AI chatbot Grok. It is available as a standalone app or feature on the social media platform. One of the tasks that Grok does is generating visual content, where users can request the LLM to generate and\u002For edit images. Stichting Offlimits (a non profit organisation) estimated that Grok had generated approximately 3 million sexualised images between December 29 2025 and January 9 2026, of which approximately 23,000 depicted children. The controller had later restricted the feature to paid members, and announced measures to prevent the Grok account on X from editing images of real people. In January 2026 the EU Commission announced that it was launching an investigation on whether the controller met its obligations under the Digital Services Act (DSA) relating to the dissemination of illegal content in the EU. X is a social media platform. X.AI LLC (a US company) is the provider of the generative AI chatbot Grok. X Internet Unlimited Company (XIUC) is the Irish entity that operates the platform in the European Economic Area and the UK (outside of these regions it is provided by X Corp, a US corporation). For GDPR purposes, XIUC is the controller in this case. One of the tasks that Grok does is generating visual content, where users can request the LLM to generate and\u002For edit images. Stichting Offlimits (a non profit organisation) estimated that Grok had generated approximately 3 million sexualised images between December 29 2025 and January 9 2026, of which approximately 23,000 depicted children. The controller later restricted the feature to paid members, and announced measures to prevent the Grok account on X from editing images of real people. In January 2026 the EU Commission announced that it was launching an investigation on whether the controller met its obligations under the Digital Services Act (DSA) relating to the dissemination of illegal content in the EU. In February 2026 Stichting Offlimits filed preliminary injunction before the court, requesting that the court prohibit the controller from generating and\u002For distributing sexual imagery through the image generating functionality. This was the case for non consensual imagery and imagery classified as child pornography under national law. In addition, the organisation requested the court to prohibit the controller from offering Grok’s functionality as part of its platform as long as it allows users to generate these images. The organisation brought claims based on tort and violations of the GDPR; specifically it argued that creating and distributing non consensual nude images was unlawful processing of personal data under the GDPR. The controller argued that it was impossible to generate these images, and that it implemented technical safeguards to prevent users from circumventing the restrictions on generating images. Finally, the controller argued that it was the user who generated the images, and that Grok was a tool. In February 2026 Stichting Offlimits filed preliminary injunction before the court, requesting that the court prohibit the controller from generating and\u002For distributing sexual imagery through the image generating functionality. This was the case for non consensual imagery and imagery classified as child pornography under national law. In addition, the organisation requested the court to prohibit the controller from offering Grok’s functionality as part of its platform as long as it allows users to generate these images. The organisation brought claims based on tort and violations of the GDPR; specifically it argued that creating and distributing non consensual nude images was unlawful processing of personal data under the GDPR. The controller argued that it was impossible to generate these images, and that it implemented technical safeguards to prevent users from circumventing the restrictions on generating images. Finally, the controller argued that it was the user who generated the images, and that Grok was a tool. === Holding === === Holding === The court first clarified that it was competent to hear the case. Under the GDPR, XIUC is the controller for the processing of personal data of data subjects in The Netherlands. [[Article 79 GDPR#2|Article 79(2) GDPR]] allows for proceedings to (also) be brought where the data subject (or the organisation) habitually resides. The court also had jurisdiction based on [https:\u002F\u002Feur-lex.europa.eu\u002Flegal-content\u002FEN\u002FALL\u002F?uri=celex%3A32012R1215 Article 7(2) of the Brussels I-bis Regulation], since the alleged damage from the controller’s alleged tortious conduct happened in The Netherlands. The court stated that it was competent within courts in The Netherlands, as it was sufficiently plausible that the alleged harm also took place in Amsterdam. Finally, the court joined the claims brought by the organisation against XIUC and the US entity X.AI LLC and X CORP, based on considerations of efficiency under national procedural law. The court first clarified that it was competent to hear the case. Under the GDPR, XIUC is the controller for the processing of personal data of data subjects in the Netherlands. [[Article 79 GDPR#2|Article 79(2) GDPR]] allows for proceedings to (also) be brought where the data subject (or the organisation) habitually resides. The court also had jurisdiction based on [https:\u002F\u002Feur-lex.europa.eu\u002Flegal-content\u002FEN\u002FALL\u002F?uri=celex%3A32012R1215 Article 7(2) of the Brussels I-bis Regulation], since the alleged damage from the controller’s alleged tortious conduct happened in the Netherlands. The court stated that it was competent within courts in the Netherlands, as it was sufficiently plausible that the alleged harm also took place in Amsterdam. Finally, the court joined the claims brought by the organisation against XIUC and the US entity X.AI LLC and X CORP, based on considerations of efficiency under national procedural law. In terms of substance, the court first stated that it was undisputed that the controller processed personal data in its image generating feature. The court then stated that the organisation had provided sufficient evidence in demonstrating that the feature violated data subjects’ GDPR and privacy rights; in its submissions, the organisation showed that Grok generated images of data subjects without verifying whether consent had been obtained. The court considered that the controller had not implemented sufficient safeguards, and questioned the effectiveness of the measures it had implemented. In terms of substance, the court first stated that it was undisputed that the controller processed personal data in its image generating feature. The court then stated that the organisation had provided sufficient evidence in demonstrating that the feature violated data subjects’ GDPR and privacy rights; in its submissions, the organisation showed that Grok generated images of data subjects without verifying whether consent had been obtained. The court considered that the controller had not implemented sufficient safeguards, and questioned the effectiveness of the measures it had implemented. Line 84: Line 86: The legal status of the evidence of child sexual abuse material (CSAM) on the platform was, in the court’s view, more complicated to determine. The court stated that the specific image submitted by the organisation did not show explicit nudity, and it was not evident that the person was a minor since the image depicted a fictional character. Nonetheless, the court concluded that it was not necessary to determine the legal status of the image, as the organisation sufficiently demonstrated that Grok users can push boundaries when generating images. This means that whether CSAM is involved depends on the context, and that the controller had similarly not implemented sufficient measures to prevent this. The legal status of the evidence of child sexual abuse material (CSAM) on the platform was, in the court’s view, more complicated to determine. The court stated that the specific image submitted by the organisation did not show explicit nudity, and it was not evident that the person was a minor since the image depicted a fictional character. Nonetheless, the court concluded that it was not necessary to determine the legal status of the image, as the organisation sufficiently demonstrated that Grok users can push boundaries when generating images. This means that whether CSAM is involved depends on the context, and that the controller had similarly not implemented sufficient measures to prevent this. The court granted the preliminary injunction claims, as the non consensual images violated the GDPR, and the (facilitation of) generating CSAM violated the national Civil Code. The court found that it was sufficiently plausible that the controller unlawfully and culpably contributes to a climate of online inappropriate behaviour, and that the organisation has sufficient urgent interest. The court dismissed the controller’s arguments in relation to the user being responsible, as the controller (was the intermediaries that controlled the functionalities of Grok. Therefore, the court prohibited both XIUC and X.AI from generating and\u002For distributing sexual imagery without explicit consent of the individuals involved residing in The Netherlands through its Grok function. This was also the case for producing, distributing, offering and publicly displaying CSAM. The US entity X.AI was included, on the grounds that harm could still occur in The Netherlands even if X facilitates the distribution of images of Dutch nationals outside of The Netherlands. The court acknowledged that it did not have international jurisdiction to rule on the legality of distributing generated images of fictional persons outside of The Netherlands. Therefore, the injunction against X.AI was limited to unlawful images of persons residing in The Netherlands. This limitation, however, did not apply to XIUC. The court granted the preliminary injunction claims, as the non consensual images violated the GDPR, and the (facilitation of) generating CSAM violated the national Civil Code. The court found that it was sufficiently plausible that the controller unlawfully and culpably contributes to a climate of online inappropriate behaviour, and that the organisation has sufficient urgent interest. The court dismissed the controller’s arguments in relation to the user being responsible, as the controller was the intermediary that controlled the functionalities of Grok. Therefore, the court prohibited both XIUC and X.AI from generating and\u002For distributing sexual imagery without explicit consent of the individuals involved residing in the Netherlands through its Grok function. This was also the case for producing, distributing, offering and publicly displaying CSAM. The US entity X.AI was included, on the grounds that harm could still occur in the Netherlands even if X facilitates the distribution of images of Dutch nationals outside of the Netherlands. The court acknowledged that it did not have international jurisdiction to rule on the legality of distributing generated images of fictional persons outside of the Netherlands. Therefore, the injunction against X.AI was limited to unlawful images of persons residing in the Netherlands. This limitation, however, did not apply to XIUC. == Comment == == Comment ==","A Dutch court issued a preliminary injunction against X (via Irish entity X Internet Unlimited Company and US X.AI LLC) prohibiting Grok from generating, editing, or distributing non-consensual intimate imagery and child sexual abuse material (CSAM) in the Netherlands. The ruling found that Grok had generated approximately 3 million sexualized images between late December 2025 and early January 2026, including ~23,000 depicting children, and that X's safeguards were insufficient under GDPR and Dutch civil law. The injunction also bars X from offering Grok's image generation functionality as long as such violations persist.","Dutch court bans X's Grok from generating non-consensual intimate and CSAM imagery in Netherlands.","Help Rb. Amsterdam - C\u002F13\u002F783613 \u002F KG ZA 26-120: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 14:10, 31 March 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators539 editsmTag: Visual edit← Older edit Latest revision as of 10:03, 1 April 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators539 editsmTag: Visual edit Line 68: Line 68: }}}} A court banned X from generating and distributing non consensual intimate and child sexual abuse material (CSAM) through Grok in The Netherlands, and prohibited X from offering Grok functionalities as long as the violations occurred. This was part of preliminary injunction proceedings.In a preliminary injunction proceeding, a court banned the social media platform X from generating and distributing non-consensual intimate and child sexual abuse material through Grok in the Netherlands, and prohibited X from offering Grok functionalities as long as the violations occurred. == English Summary ==== English Summary == === Facts ====== Facts === X (composed of US entities X.AI LLC, X CORP and Irish entity X Internet Unlimited Company, the controller) is a social media platform that provides the generative AI chatbot Grok. It is available as a standalone app or feature on the social media platform. One of the tasks that Grok does is generating visual content, where users can request the LLM to generate and\u002For edit images. Stichting Offlimits (a non profit organisation) estimated that Grok had generated approximately 3 million sexualised images between December 29 2025 and January 9 2026, of which approximately 23,000 depicted children. The controller had later restricted the feature to paid members, and announced measures to prevent the Grok account on X from editing images of real people. In January 2026 the EU Commission announced that it was launching an investigation on whether the controller met its obligations under the Digital Services Act (DSA) relating to the dissemination of illegal content in the EU.X is a social media platform. X.AI LLC (a US company) is the provider of the generative AI chatbot Grok. X Internet Unlimited Company (XIUC) is the Irish entity that operates the platform in the European Economic Area and the UK (outside of these regions it is provided by X Corp, a US corporation). For GDPR purposes, XIUC is the controller in this case. One of the tasks that Grok does is generating visual content, where users can request the LLM to generate and\u002For edit images. Stichting Offlimits (a non profit organisation) estimated that Grok had generated approximately 3 million sexualised images between December 29 2025 and January 9 2026, of which approximately 23,000 depicted children. The controller later restricted the feature to paid members, and announced measures to prevent the Grok account on X from editing images of real people. In January 2026 the EU Commission announced that it was launching an investigation on whether the controller met its obligations under the Digital Services Act (DSA) relating to the dissemination of illegal content in the EU. In February 2026 Stichting Offlimits filed preliminary injunction before the court, requesting that the court prohibit the controller from generating and\u002For distributing sexual imagery through the image generating functionality. This was the case for non consensual imagery and imagery classified as child pornography under national law. In addition, the organisation requested the court to prohibit the controller from offering Grok’s functionality as part of its platform as long as it allows users to generate these images. The organisation brought claims based on tort and violations of the GDPR; specifically it argued that creating and distributing non consensual nude images was unlawful processing of personal data under the GDPR. The controller argued that it was impossible to generate these images, and that it implemented technical safeguards to prevent users from circumventing the restrictions on generating images. Finally, the controller argued that it was the user who generated the images, and that Grok was a tool.In February 2026 Stichting Offlimits filed preliminary injunction before the court, requesting that the court prohibit the controller from generating and\u002For distributing sexual imagery through the image generating functionality. This was the case for non consensual imagery and imagery classified as child pornography under national law. In addition, the organisation requested the court to prohibit the controller from offering Grok’s functionality as part of its platform as long as it allows users to generate these images. The organisation brought claims based on tort and violations of the GDPR; specifically it argued that creating and distributing non consensual nude images was unlawful processing of personal data under the GDPR. The controller argued that it was impossible to generate these images, and that it implemented technical safeguards to prevent users from circumventing the restrictions on generating images. Finally, the controller argued that it was the user who generated the images, and that Grok was a tool. === Holding ====== Holding === The court first clarified that it was competent to hear the case. Under the GDPR, XIUC is the controller for the processing of personal data of data subjects in The Netherlands. [[Article 79 GDPR#2|Article 79(2) GDPR]] allows for proceedings to (also) be brought where the data subject (or the organisation) habitually resides. The court also had jurisdiction based on [https:\u002F\u002Feur-lex.europa.eu\u002Flegal-content\u002FEN\u002FALL\u002F?uri=celex%3A32012R1215 Article 7(2) of the Brussels I-bis Regulation], since the alleged damage from the controller’s alleged tortious conduct happened in The Netherlands. The court stated that it was competent within courts in The Netherlands, as it was sufficiently plausible that the alleged harm also took place in Amsterdam. Finally, the court joined the claims brought by the organisation against XIUC and the US entity X.AI LLC and X CORP, based on considerations of efficiency under national procedural law. The court first clarified that it was competent to hear the case. Under the GDPR, XIUC is the controller for the processing of personal data of data subjects in the Netherlands. [[Article 79 GDPR#2|Article 79(2) GDPR]] allows for proceedings to (also) be brought where the data subject (or the organisation) habitually resides. The court also had jurisdiction based on [https:\u002F\u002Feur-lex.europa.eu\u002Flegal-content\u002FEN\u002FALL\u002F?uri=celex%3A32012R1215 Article 7(2) of the Brussels I-bis Regulation], since the alleged damage from the controller’s alleged tortious conduct happened in the Netherlands. The court stated that it was competent within courts in the Netherlands, as it was sufficiently plausible that the alleged harm also took place in Amsterdam. Finally, the court joined the claims brought by the organisation against XIUC and the US entity X.AI LLC and X CORP, based on considerations of efficiency under national procedural law. In terms of substance, the court first stated that it was undisputed that the controller processed personal data in its image generating feature. The court then stated that the organisation had provided sufficient evidence in demonstrating that the feature violated data subjects’ GDPR and privacy rights; in its submissions, the organisation showed that Grok generated images of data subjects without verifying whether consent had been obtained. The court considered that the controller had not implemented sufficient safeguards, and questioned the effectiveness of the measures it had implemented.In terms of substance, the court first stated that it was undisputed that the controller processed personal data in its image generating feature. The court then stated that the organisation had provi","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=Rb._Amsterdam_-_C\u002F13\u002F783613_\u002F_KG_ZA_26-120&diff=51201&oldid=51196",null,"2026-04-01T10:03:34+00:00","2026-04-01T12:00:24.942169+00:00",8,[],"c5c77cdb-f7d7-4990-9436-c81dcbff1163",{"id":18,"icon":13,"name":20,"slug":21},"Policy","policy",[23,28,33,38],{"category":24},{"id":25,"icon":13,"name":26,"slug":27},"3f0f8451-91df-4b6c-9a73-ef3b2509b7f1","GDPR","gdpr",{"category":29},{"id":30,"icon":13,"name":31,"slug":32},"839da5c1-3c34-47e2-9499-f7201640e3ac","AI Security","ai-security",{"category":34},{"id":35,"icon":13,"name":36,"slug":37},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",{"category":39},{"id":40,"icon":13,"name":41,"slug":42},"f22671ea-092b-4568-aede-526bb16dedd5","EU AI Act","eu-ai-act",[]]