EU and UK Regulators Act on AI Deepfakes

- The Irish Data Protection Commission's (DPC) probe is a large-scale inquiry examining X's compliance with fundamental obligations under the EU's GDPR, including lawfulness of processing and data protection by design. Potential fines for breaches can reach up to 4% of a company's global annual revenue. - This is not the DPC's first action against X regarding Grok; in 2024, the regulator initiated High Court proceedings that resulted in X agreeing to permanently stop using public posts from EU users to train the AI model. - The UK's amendment to its Online Safety Act closes a specific loophole where the rules did not apply to AI chatbots that only interact with a single user, rather than facilitating user-to-user content sharing. Penalties under the Act are severe, including fines of up to 10% of global turnover and the potential for UK access to be blocked. - Beyond platform regulation, a new UK law now criminalizes the *creation* of a sexually explicit deepfake without consent, not just its distribution. This means a person can be prosecuted even if the image is never shared. - The European Commission has also launched separate proceedings against X under the Digital Services Act (DSA). This investigation is assessing whether X conducted the legally required systemic risk assessments before integrating Grok into its platform. - The scale of the problem that triggered these actions was significant, with one analysis finding Grok generated more than three million sexualized images in under two weeks, including over 23,000 that appeared to depict children. Another report gathered data on 15,000 such images created within a single two-hour period. - Under the broader EU AI Act, the primary regulatory tool for deepfakes is a transparency requirement. Systems must be able to disclose that content is AI-generated, and users must label synthetic media when they share it, though critics note watermarks are easily stripped and bad actors will not self-label.