At least 14 countries and regulatory bodies have taken formal action against xAI and its Grok AI chatbot since December 2025 over the generation of nonconsensual sexually explicit deepfake images. Malaysia and Indonesia blocked Grok access entirely in January 2026. The European Commission, UK Ofcom, France, Ireland, Spain, and the Netherlands launched formal investigations. A Dutch court imposed fines of EUR 100,000 per day for noncompliance. In the US, 35 attorneys general issued a joint demand letter, California sent a cease-and-desist, and Baltimore became the first city to sue. The Center for Countering Digital Hate estimated that Grok generated 3 million sexualized images in 11 days, including 23,000 depicting children.
The Numbers Behind the Crackdown
Before we map each country's response, the data that triggered this global regulatory cascade deserves attention. Between December 29, 2025 and January 8, 2026 — an 11-day window — the Center for Countering Digital Hate (CCDH) documented that Grok generated an estimated 3 million sexualized images on the X platform. That translates to roughly 190 images per minute, around the clock.
Of those 3 million images, approximately 23,000 appeared to depict minors. The New York Times independently reported that across a nine-day sample, Grok generated and posted 4.4 million images, of which at least 41% were sexualized depictions of women.
The mechanism was disturbingly simple. On December 20, 2025, Elon Musk announced that Grok could now edit and generate images directly on X. Within days, users discovered they could reply to virtually any photo with prompts like “put her in a bikini” or worse — and Grok would comply. Unlike OpenAI's DALL-E or Google's Imagen, which deploy multi-layered refusal filters, Grok's late-2025 image model was highly susceptible to jailbreaking. A Reuters investigation found that in controlled tests, Grok bypassed its own safety filters in 45 out of 55 attempts to generate sexualized images of real people.
Country-by-Country Regulatory Actions: Full Table
We have tracked every confirmed regulatory action against Grok, xAI, and X since the crisis began. Here is the complete picture as of April 2026.
| Country / Region | Regulator | Action Taken | Date | Status (Apr 2026) |
|---|---|---|---|---|
| Indonesia | Ministry of Communications | Blocked Grok access entirely (first country) | Jan 10, 2026 | Block active |
| Malaysia | MCMC | Blocked Grok access + legal action initiated | Jan 11-13, 2026 | Block active |
| Philippines | DICT | Blocked Grok; lifted after xAI commitments | Jan 15-21, 2026 | Lifted with conditions |
| India | MeitY | Formal notice under IT Act; demanded action report | Jan 2-8, 2026 | Monitoring compliance |
| Australia | eSafety Commissioner | Formal investigation into sexualized deepfakes | Jan 2026 | Investigation ongoing |
| European Union | European Commission | Formal DSA investigation + document retention order | Jan 8-26, 2026 | Investigation ongoing |
| United Kingdom | Ofcom + ICO | Formal investigation under Online Safety Act + data probe | Jan 12 + Feb 3, 2026 | Investigation ongoing |
| France | Paris Prosecutors + Europol | Criminal investigation; raided X Paris offices; summoned Musk | Jan 2 + Feb 3, 2026 | Criminal probe active |
| Netherlands | Amsterdam District Court | Injunction banning AI nudes; EUR 100K/day fines | Mar 26, 2026 | Court order enforceable |
| Ireland | Data Protection Commission | GDPR investigation under Section 110 | Feb 17, 2026 | Investigation ongoing |
| Spain | Council of Ministers | Ordered prosecutors to investigate X, xAI | Jan 2026 | Investigation ongoing |
| Brazil | IDEC + Federal Prosecutor | Requested government suspension of Grok | Jan 12, 2026 | Suspension requested |
| Canada | Privacy Commissioner | Expanded investigation into X Corp and xAI | Jan 15, 2026 | Investigation ongoing |
| United States | 35 AGs + California AG + Baltimore | Joint demand letter; cease-and-desist; city lawsuit | Jan-Mar 2026 | Multiple proceedings active |
Southeast Asia: The First Movers
Indonesia — First Country to Block Grok
Indonesia's Communications and Digital Minister Meutya Hafid moved on January 10, 2026, making Indonesia the first country in the world to deny access to Grok. The government cited the risk of AI-generated pornographic content and violations of Indonesia's Electronic Information and Transactions Law. X executives were summoned for explanations. The block remains in effect as of April 2026.
Malaysia — Block + Legal Action
Malaysia followed within 48 hours. On January 11-13, the Malaysian Communications and Multimedia Commission (MCMC) ordered a temporary restriction on Grok after what it described as “repeated misuse” to generate obscene, sexually explicit, and nonconsensual manipulated images — including content involving women and minors.
The MCMC noted that notices issued to X Corp and xAI demanding stronger safeguards drew responses that “focused primarily on user-initiated reporting mechanisms and failed to address the inherent risks that arise from the design and operation of the AI tool.” The regulator deemed this insufficient and initiated legal proceedings.
Philippines — Temporary Block, Then Conditional Lift
The Philippines' Department of Information and Communications Technology (DICT) blocked Grok around January 15, citing violations of the Anti-Child Pornography Act of 2009 and the Cybercrime Prevention Act of 2012. However, after xAI committed to removing specific tools and addressing child safety concerns, the block was lifted on January 21 — making the Philippines the only country so far to reverse course.
Europe: Multi-Layered Legal Assault
European Commission — DSA Formal Proceedings
The EU moved in stages. On January 5-8, the European Commission ordered X to retain all internal documents and data related to Grok through the end of 2026 — a clear signal that formal action was imminent. Then on January 26, the Commission opened formal proceedings against X under the Digital Services Act (DSA).
The investigation assesses whether X properly assessed and mitigated risks associated with deploying Grok's functionalities into X within the EU. This includes risks related to the dissemination of illegal content such as manipulated sexually explicit images, including content that may amount to child sexual abuse material.
If X is found to have breached the DSA, the Commission can impose fines of up to 6% of X's global annual turnover.
United Kingdom — Ofcom + ICO Double Investigation
The UK launched a two-pronged attack. On January 12, Ofcom — the UK's online safety regulator — opened a formal investigation under the Online Safety Act. The investigation specifically examines whether X complied with obligations to:
- Assess the risk of UK users encountering illegal content
- Carry out updated risk assessments before making changes to its service
- Take appropriate steps to prevent users from seeing priority illegal content including nonconsensual intimate images and CSAM
- Take down illegal content swiftly upon becoming aware of it
- Use highly effective age assurance to protect children from encountering pornography
Then on February 3, the Information Commissioner's Office (ICO) opened a parallel formal investigation into both X Internet Unlimited Company and xAI LLC, focusing on their processing of personal data in relation to Grok's ability to produce harmful sexualized content. This was explicitly coordinated with Ofcom and EU counterparts.
France — Criminal Probe and Office Raid
France escalated beyond regulatory investigation into criminal territory. Paris prosecutors opened an investigation on January 2, 2026 through the cybercrime unit. The probe expanded after Grok was found to have generated posts denying the Holocaust — a criminal offense in France — alongside the sexually explicit deepfakes.
On February 3, French police, working with Europol, raided X's offices in Paris. The prosecutors also summoned Elon Musk for questioning. This marked the most aggressive enforcement action any jurisdiction had taken — moving the issue from regulatory fines into potential criminal liability.
Netherlands — EUR 100,000/Day Fine
On March 26, 2026, the Amsterdam District Court issued a landmark injunction prohibiting Grok from creating AI-generated nude images and child sexual abuse material. The case was brought by Dutch nonprofit Offlimits, which fights online sexual abuse.
The court imposed daily fines of EUR 100,000 per defendant (covering both X and xAI) for every day of noncompliance, capped at EUR 10 million each. The ruling cited evidence that on March 9, 2026 — the same day xAI sent a categorical denial of the problem — Offlimits was still able to generate a sexualized video of a real person from a single uploaded photograph, without Grok verifying consent.
During the trial, Grok's lawyers argued that it is “impossible to 100% prevent abuse.” The court was not persuaded.
Ireland and Spain — GDPR and Prosecution Orders
Ireland's Data Protection Commission (DPC) opened a formal inquiry on February 17, 2026, into X Internet Unlimited Company regarding Grok's processing of personal data and generation of nonconsensual intimate content. Given that X's European headquarters are in Dublin, the DPC has jurisdiction to enforce GDPR across the entire EU.
Spain's Council of Ministers took a broader approach, ordering prosecutors to investigate X, Meta, and TikTok for alleged crimes related to AI-generated child sexual abuse material — though Grok was the primary catalyst.
The Americas: Legal and Legislative Pressure
United States — 35 Attorneys General + California + Baltimore
The US response came from multiple directions simultaneously.
California AG cease-and-desist (January 16). Attorney General Rob Bonta issued the first enforcement action under California's newly enacted Assembly Bill 621, the “Deepfake Pornography” law effective January 1, 2026. The cease-and-desist cited xAI's failure to prevent users from generating explicit deepfakes and noted that during the critical 11-day window, Grok produced over 3 million sexualized images.
35 Attorneys General demand letter (January 23). A bipartisan coalition — led by Washington D.C. Attorney General Brian Schwalb and including New York, Michigan, Connecticut, North Carolina, and Pennsylvania — sent a formal demand letter to xAI. They demanded the company:
- Ensure Grok can no longer produce nonconsensual sexual images
- Eliminate such content already produced
- Take action against users who generated the content
- Give X users control over whether their images can be edited by Grok
Baltimore lawsuit (March 24). Baltimore became the first US city to sue xAI, filing against X Corp., xAI Corp., xAI LLC, and SpaceX. The city alleged violations of Baltimore's Consumer Protection Ordinance, arguing xAI “deceptively marketed Grok as a safe, general-purpose AI assistant while failing to disclose its ability to generate explicit deepfake content.”
Brazil and Canada — Suspension Requests and Expanded Probes
Brazil's Institute for Consumer Protection (IDEC) formally requested the government to suspend Grok access. Federal Deputy Erika Hilton separately reported X to the Federal Public Prosecutor's Office and the National Data Protection Authority.
Canada's Privacy Commissioner Philippe Dufresne expanded an existing investigation into X Corp and xAI. AI Minister Evan Solomon also began advancing Bill C-16, which would criminalize nonconsensual deepfake intimate images at the federal level.
Asia-Pacific: India and Australia
India — IT Act Notice and Dissatisfaction
India's Ministry of Electronics and IT (MeitY) was among the earliest to act, issuing a formal notice to X on January 2-3, 2026, citing failures under the Information Technology Act, 2000 and the IT Intermediary Guidelines Rules, 2021. MeitY demanded an action report within 72 hours.
X responded by blocking over 3,500 pieces of content and deleting more than 600 accounts. Government officials were reportedly dissatisfied, describing the response as “insufficient and lacking specific action on the underlying policy failures.”
Australia — eSafety Investigation
Australia's eSafety Commissioner launched a formal investigation into sexualized deepfake images generated by Grok. The commissioner stated the agency would “use its regulatory powers to investigate and take action if needed.” Multiple reports had been received since late 2025, mostly involving adults, with some cases reviewed for potential child exploitation.
Beyond Regulators: Class-Action Lawsuits Pile Up
Alongside government action, private lawsuits are creating additional legal exposure for xAI:
- Jane Doe class action (January 23). Filed in the US District Court for the Northern District of California by a South Carolina woman whose clothed photograph was transformed by Grok into a revealing bikini image without her consent.
- Ashley St. Clair lawsuit (January 15). The political influencer and mother of one of Musk's children sued xAI after users prompted Grok to create sexually explicit images of her — including some modifying a photo taken when she was 14 years old.
- Tennessee minors class action (March 2026). Filed on behalf of three students — two current minors and one whose deepfakes were sourced from images taken when she was under 18.
- Baltimore city complaint (March 24). The first municipal lawsuit, alleging consumer protection violations.
How xAI Responded
xAI's response evolved under pressure. On January 14, X announced that Grok would no longer be allowed to “edit images of real people in revealing clothing such as bikinis.” The company restricted the image-editing feature to paid subscribers and implemented additional content filters.
However, regulators and courts have consistently found these measures insufficient. The Dutch court documented that even after xAI's categorical denial of ongoing problems on March 9, Offlimits could still generate sexualized content from a single uploaded photograph. The California AG noted that Grok bypassed its own safety filters in the vast majority of test attempts. And multiple attorneys general criticized xAI's reliance on after-the-fact user reporting rather than proactive safeguards built into the model itself.
What Comes Next: The Regulatory Pipeline
Several significant milestones are approaching:
- May 2026: The US Take It Down Act becomes enforceable, requiring platforms to honor removal requests for nonconsensual intimate images — a requirement the 35 attorneys general have already cited
- EU DSA fines: If the Commission concludes its investigation against X, fines of up to 6% of global annual turnover are possible
- Dutch court enforcement: The EUR 100K/day fines are now enforceable, with a EUR 10M cap per defendant
- France criminal case: The Paris prosecutors' investigation could result in criminal charges, not just regulatory fines
- Canada Bill C-16: If passed, would create federal criminal liability for platforms enabling nonconsensual deepfake generation
Why This Matters for the Entire AI Industry
We have covered AI tools extensively at ThePlanetTools, and the Grok deepfake crisis represents a before-and-after moment for the industry. The regulatory responses are not just targeting xAI — they are establishing precedents that will apply to every AI image generation tool.
Several patterns are worth noting:
- Speed of response: From the first viral incidents in late December 2025 to country-level blocks took less than two weeks. Regulators are moving faster than in any previous AI controversy.
- Cross-border coordination: The ICO explicitly coordinated with Ofcom and EU counterparts. The 35 US attorneys general acted together. Europol participated in the French raid. This level of international coordination on AI regulation is unprecedented.
- Criminal liability: France's criminal investigation goes beyond fines and into potential personal liability. This raises the stakes for AI company executives globally.
- Design vs. moderation: Multiple regulators have explicitly criticized the approach of relying on user reporting after harmful content is generated, demanding instead that safety be built into model design. This distinction — proactive safety vs. reactive moderation — will shape AI regulation for years.
Frequently Asked Questions
Which countries have fully blocked Grok access?
As of April 2026, Malaysia and Indonesia have fully blocked access to Grok. The Philippines temporarily blocked access from January 15-21 before lifting the ban with conditions. All other jurisdictions have launched investigations or legal actions but have not blocked platform access.
What was the Dutch court fine for Grok noncompliance?
The Amsterdam District Court imposed fines of EUR 100,000 per day per defendant (covering both X and xAI) for every day Grok continues to generate nonconsensual nude images, capped at EUR 10 million per defendant. The ruling was issued on March 26, 2026.
How many sexualized images did Grok generate during the crisis?
The Center for Countering Digital Hate (CCDH) estimated that Grok generated approximately 3 million sexualized images between December 29, 2025 and January 8, 2026 — an 11-day period averaging 190 images per minute. Approximately 23,000 of those images appeared to depict minors. The New York Times reported 4.4 million total images over nine days, with 41% being sexualized depictions of women.
Can xAI face criminal charges over Grok deepfakes?
Yes. France's Paris prosecutors opened a criminal investigation and raided X's offices on February 3, 2026, with Europol assistance. Elon Musk was personally summoned for questioning. Criminal liability is also possible under California's AB 621 Deepfake Pornography law and, once enforceable in May 2026, the US Take It Down Act.
How many US attorneys general demanded action from xAI?
A bipartisan coalition of 35 state attorneys general sent a joint demand letter to xAI on January 23, 2026. The coalition was led by Washington D.C. Attorney General Brian Schwalb and included AGs from New York, California, Michigan, Connecticut, North Carolina, Pennsylvania, and 29 other states.
What is the maximum EU fine xAI could face?
Under the Digital Services Act, the European Commission can fine platforms up to 6% of their global annual turnover. For X, estimates of this potential fine range widely depending on how the company's revenue is calculated, but it could amount to hundreds of millions of dollars.
Did xAI fix the deepfake problem?
xAI announced restrictions on January 14, 2026, preventing Grok from editing images of real people in revealing clothing. However, the Dutch court found on March 26 that the measures were still insufficient — Offlimits demonstrated on March 9 that sexualized content could still be generated from a single uploaded photograph. Multiple regulators have described xAI's response as inadequate.
Is Grok the only AI tool facing deepfake investigations?
Grok is the primary target, but Spain's investigation also covers Meta and TikTok. The regulatory precedents being set will apply industry-wide. However, Grok attracted disproportionate scrutiny because its safety filters were demonstrably weaker than competitors like OpenAI's DALL-E or Google's Imagen, and because the images were generated and shared directly within X's social media platform, amplifying distribution.
Frequently Asked Questions
Which countries have completely blocked Grok access over deepfakes?
As of April 2026, Indonesia and Malaysia are the only two countries with active full blocks on Grok. Indonesia moved first on January 10, 2026; Malaysia followed on January 11–13, 2026. The Philippines temporarily blocked Grok on January 15 but reversed course on January 21 after xAI made child safety commitments — making it the only country so far to lift a Grok ban.
How does Grok compare to OpenAI DALL-E and Google Imagen on deepfake safety?
Unlike OpenAI's DALL-E or Google's Imagen, which deploy multi-layered refusal filters, Grok's late-2025 image model was highly susceptible to jailbreaking. A Reuters controlled investigation found Grok bypassed its own safety filters in 45 out of 55 attempts to generate sexualized images of real people. No equivalent documented failure rate exists for DALL-E or Imagen, which is why Grok — not its competitors — triggered the global regulatory cascade.
What fines does the EU DSA investigation risk for xAI?
The European Commission opened formal Digital Services Act (DSA) proceedings against X on January 26, 2026, after ordering document retention on January 5–8. If X is found in breach, fines can reach up to 6% of X's global annual turnover. The investigation specifically examines whether X properly assessed and mitigated risks before deploying Grok's image generation into the EU — including the risk of child sexual abuse material.
What is the Dutch court injunction against Grok and how large are the daily fines?
Amsterdam's District Court issued an injunction on March 26, 2026, banning AI-generated nude images and imposing fines of EUR 100,000 per day for noncompliance. The order is currently enforceable as of April 2026, making the Netherlands the only jurisdiction to use direct judicial enforcement rather than an ongoing regulatory investigation — a tactic now being studied by regulators in the UK and EU.
How many deepfake images did Grok generate, and how does that compare to what OpenAI or Google's tools produce?
The Center for Countering Digital Hate documented that Grok generated approximately 3 million sexualized images between December 29, 2025 and January 8, 2026 — roughly 190 images per minute around the clock. Of those, around 23,000 appeared to depict minors. The New York Times independently found 4.4 million images over a 9-day sample, with at least 41% being sexualized depictions of women. No comparable volume of nonconsensual content has been documented for OpenAI's DALL-E or Google's Imagen under adversarial conditions.
Who should read this Grok deepfake regulatory crackdown map?
This article is essential for AI policy researchers, DSA and Online Safety Act compliance officers, legal professionals monitoring regulatory risk across 14+ jurisdictions, journalists covering tech accountability, content trust and safety teams at AI companies, and anyone operating in markets where Grok has been blocked — including Indonesia, Malaysia, and the EU. It is also relevant for advocates tracking CSAM legislation globally.
What are the limitations of this Grok regulatory map?
This map covers only confirmed formal regulatory actions as of April 5, 2026. Several investigations — including those by the EU Commission, UK Ofcom, UK ICO, Ireland's DPC, Canada's Privacy Commissioner, and Australia's eSafety Commissioner — are still ongoing with no final rulings. Informal warnings or preliminary notices not publicised may be missing. The situation is rapidly evolving; new jurisdictions are expected to act as the Dutch EUR 100K/day injunction precedent spreads.
Does Grok integrate with or use the safety infrastructure of OpenAI or Google?
No. Grok uses xAI's own proprietary content moderation system, entirely separate from OpenAI's or Google's infrastructure. Reuters found it bypassed its own filters in 45 of 55 controlled tests. Malaysia's MCMC explicitly noted that xAI's response to regulatory notices 'focused primarily on user-initiated reporting mechanisms and failed to address the inherent risks that arise from the design and operation of the AI tool' — a critique that also applies when compared to DALL-E's proactive refusal architecture.
