Privacy Commissioner Finds Grok Imagine Launched Without PIA

The Office of the Privacy Commissioner of Canada published a report on June 11, 2026, concluding that X Corp. and xAI violated Canada's federal private-sector privacy law (PIPEDA) by launching Grok Imagine, an AI image-generation tool, without timely or adequate privacy safeguards. Commissioner Philippe Dufresne found that a privacy impact assessment specific to Grok Imagine was not completed until March 2026 - after the tool's July 2025 launch - and that the later assessment "did not accurately reflect" risks to security, safety, and privacy. The OPC initiated the investigation in January 2026 following reports that Grok was being used to generate large volumes of non-consensual sexualized deepfakes.

The OPC report and IAPP coverage of the findings include significant harm statistics. The IAPP reports that Grok shared approximately 1.8 million sexualized images since December 29, 2025, and that the Center for Countering Digital Hate estimated Grok generated roughly 3 million sexualized deepfakes between December 29, 2025 and January 8, 2026, including 23,000 images of children. At peak, the tool was generating approximately 6,000 sexualized deepfake images per hour, according to IAPP reporting.

After the issue became public and during the investigation, X Corp. and xAI introduced safeguards to reduce misuse and began proactive sweeps to detect and remove harmful content. The OPC reports incidents of sexualized deepfakes have been reduced by 50% since the investigation began. The companies committed to providing quarterly reports and independent third-party audit reports on safeguard improvements until the OPC is satisfied the issue is fully resolved. The OPC recommended the companies suspend Grok Imagine's image-generation functionality until adequate safeguards are in place; the IAPP reports the companies declined to do so, and Commissioner Dufresne noted, "I can't force them to do it."

A central theme of the OPC's public statement is the inadequacy of current enforcement powers. Under PIPEDA as written, the Commissioner cannot issue binding orders or impose monetary penalties. Dufresne stated: "The fact that at the end of the day, even in a case like this one, there is no ability to impose a financial consequence. There's no ability to impose a binding order. That creates a lack of incentive, and in some cases, maybe a disincentive to comply with the fundamental right to privacy." The Commissioner's statement calls on the Government to modernize federal private-sector privacy law, including administrative monetary penalties and mandatory privacy impact assessments for high-risk AI activities.

The OPC news release quotes Commissioner Dufresne directly: "The creation of non-consensual, sexualized deepfakes, often targeting women and children, can have devastating consequences for victims. Organizations have a responsibility and legal obligation to protect Canadians' fundamental right to privacy."

The investigation's findings were announced the same week the Canadian Government introduced Bill C-16, which would in part criminalize sexual deepfakes, and alongside a new national AI strategy. The OPC frames the Grok case as evidence that procedural requirements for pre-launch privacy impact assessments should be codified in law with penalties for non-compliance.

Practitioners should track whether the OPC's monitoring of X Corp./xAI's quarterly commitment reports leads to further action, including any federal court referral if commitments are not met. The broader development to watch is Canada's federal privacy law modernization: if PIPEDA is amended to include binding orders and administrative monetary penalties, the enforcement posture for AI products in Canada would change materially.