Canada's Privacy Watchdog Takes Aim at Grok's Deepfake Problem
Canada's privacy commissioner has concluded that Grok — the AI image generation tool built into Elon Musk's social media platform X — was rolled out without adequate privacy protections, and in doing so, violated Canadian privacy law.
The finding comes after the Office of the Privacy Commissioner of Canada launched a formal investigation in January into the proliferation of sexual deepfakes on X. The conclusion: Grok was launched without properly considering the harms its technology could cause to real people.
What the Investigation Found
At the heart of the commissioner's concern is the ease with which Grok's image generation capabilities could be — and were — used to create non-consensual sexual imagery of real individuals. These so-called "deepfakes" can be created in seconds and have become a growing form of online abuse, particularly targeting women.
The commissioner found that X failed to conduct adequate privacy impact assessments before deploying the tool. Under Canadian privacy law, companies operating in Canada are expected to identify foreseeable risks before launching technologies that process or generate content involving identifiable individuals — and to put guardrails in place accordingly.
Grok's rollout, by contrast, was found to have skipped meaningful safeguards that could have limited the tool's potential for misuse.
A Growing Problem Across Platforms
The ruling lands amid a broader global reckoning over AI-generated sexual imagery. Countries including the United Kingdom and Australia have moved to explicitly criminalize the creation of non-consensual deepfakes, and pressure is mounting on social media platforms to do more to prevent their tools from being weaponized for harassment.
In Canada, the legal framework has largely relied on existing privacy legislation rather than deepfake-specific criminal statutes — though advocates have long called for more targeted laws. This investigation marks one of the more high-profile enforcement actions to date under that framework.
What Happens Next
The privacy commissioner's findings carry significant weight but are not automatically binding. The office can recommend remedial steps and, in some cases, refer matters to Federal Court if companies fail to comply. It's not yet clear what corrective actions, if any, X has agreed to implement following the investigation.
For now, the ruling sends a clear signal: launching AI tools in Canada without first stress-testing them for privacy harms isn't just bad practice — it can be a violation of the law.
As AI image generation becomes faster, cheaper, and more accessible, Canadian regulators appear prepared to hold platforms accountable when those tools cause harm. Whether that accountability will translate into meaningful change on platforms like X remains to be seen.
Source: CBC News Politics. Original reporting by CBC.
