X.AI LLC – Court Ruling (Netherlands, 2026)

X is a social media platform. X.AI LLC (a US company) is the provider of the generative AI chatbot Grok. X Internet Unlimited Company (XIUC) is the Irish entity that operates the platform in the European Economic Area and the UK (outside of these regions it is provided by X Corp, a US corporation). For GDPR purposes, XIUC is the controller in this case. One of the tasks that Grok does is generating visual content, where users can request the LLM to generate and/or edit images. Stichting Offlimits (a non profit organisation) estimated that Grok had generated approximately 3 million sexualised images between December 29 2025 and January 9 2026, of which approximately 23,000 depicted children. The controller later restricted the feature to paid members, and announced measures to prevent the Grok account on X from editing images of real people. In January 2026 the EU Commission announced that it was launching an investigation on whether the controller met its obligations under the Digital Services Act (DSA) relating to the dissemination of illegal content in the EU. In February 2026 Stichting Offlimits filed preliminary injunction before the court, requesting that the court prohibit the controller from generating and/or distributing sexual imagery through the image generating functionality. This was the case for non consensual imagery and imagery classified as child pornography under national law. In addition, the organisation requested the court to prohibit the controller from offering Grok’s functionality as part of its platform as long as it allows users to generate these images. The organisation brought claims based on tort and violations of the GDPR; specifically it argued that creating and distributing non consensual nude images was unlawful processing of personal data under the GDPR. The controller argued that it was impossible to generate these images, and that it implemented technical safeguards to prevent users from circumventing the restrictions on generati