OPC finds Grok chatbot and deepfakes violated Canada's privacy law

An investigation by the Office of the Privacy Commissioner of Canada found X Corp. and xAI violated the country's federal private-sector privacy law by launching the Grok AI-powered image generation tool — which at one point allowed users to create and share more than 6,000 sexualized deepfake images per hour — without appropriate safeguards. 

In announcing the findings of the OPC's investigation into Grok, Privacy Commissioner Philippe Dufresne also called for stronger federal legislation and enforcement powers. While the OPC investigation cites statistics — including that Grok shared 1.8 million sexualized images since 29 Dec. 2025 and the Center for Countering Digital Hate's estimation that Grok generated approximately 3 million sexualized deepfakes, including 23,000 images of children, between 29 Dec. 2025 and 8 Jan. 2026  — Dufresne said the OPC lacks abilities to effectively enforce the violation of Canada's Personal Information Protection and Electronic Documents Act.   

"This investigation demonstrates why Canada needs modernized federal privacy laws that will better support the development of trustworthy, privacy-protective technologies," Dufresne said. 

Since the OPC's investigation began in January, Dufresne said X Corp. and xAI have implemented safeguards to reduce the risk of Grok's use to produce sexualized deepfakes, including a process for "anticipating and mitigating privacy issues associated with image-generation tools and other novel products" and regular reports to the OPC to "explain and demonstrate the effectiveness of their safeguards." Dufresne said the OPC will receive these reoccurring reports "until we are satisfied that the issues have been fully resolved." 

While these efforts have reduced incidents of sexualized deepfakes by 50%, Dufresne said the company declined to implement a recommendation to suspend the image generating tool until all appropriate safeguards were implemented. "And I can't force them to do it," he said. 

"Reducing it by half, to me, is not enough. It has to be reduced to almost zero, if not zero," Dufresne said. "I am encouraged by those remedial actions, but we will monitor it because the issues are serious and should have never happened in the first place." 

If the OPC is not satisfied with the results of the steps taken, Dufresne said it will "consider our alternatives," which under the current law means taking action before the federal court, and in some cases all the way to the Supreme Court.

"It's lengthy and it's expensive. This is why, since my appointment as privacy commissioner, I've been advocating to have the ability to issue orders and to issue fines," he said. "Not in all cases, but in appropriate cases. So that it gives the right incentives to organizations. It brings Canada on the same level playing field as other countries. … And it brings results faster for Canadians." 

The release of the findings in the Grok investigation follow the government's announcement of a new national AI strategy last week, AI for All, and legislation proposed this week that would require social media companies to ban children under age 16 from their platforms. 

Another proposed piece of legislation, Bill C-16, would in part criminalize sexual deepfakes, which Dufresne said "is part of the solution." 

"It's an important tool. Criminal law is an important tool," he said, noting that in the case of Grok, the company argued it is the users who are making the deepfake content. "Criminal law can and should deal with some of those issues. … But the company has an obligation as well, because if you rely on criminal law, it's going to be reactive and you're going to have a significant harm that we need to prevent." 

While he welcomes these efforts, Dufresne stressed the need for modernized privacy laws and stronger enforcement powers, including monetary penalties and the ability to issue binding orders "to ensure that organizations respect Canadians' fundamental right to privacy." He said the lack of these powers makes it more difficult to convince companies to invest in privacy from the outset. 

"The fact that at the end of the day, even in a case like this one, there is no ability to impose a financial consequence. There's no ability to impose a binding order. That creates a lack of incentive, and in some cases, maybe a disincentive to comply with the fundamental right to privacy," he said. "So that's a major gap."