LONDON — The U.K.’s data protection watchdog has opened a formal investigation into Elon Musk’s companies X and xAI, over the use of personal data by the Grok AI system to generate a flood of sexualized deepfakes. In a statement on Tuesday, the Information Commissioner’s Office said the “reported creation and circulation of such content raises serious concerns under U.K. data protection law and presents a risk of significant potential harm to the public.” “These concerns relate to whether personal data has been processed lawfully, fairly and transparently, and whether appropriate safeguards were built into Grok’s design and deployment to prevent the generation of harmful manipulated images using personal data,” it said. The formal investigation follows an announcement last month that the ICO was seeking urgent information from X and xAI, amid widespread reports that Grok had been used to generate sexualized images of children and adults. William Malcolm, executive director for regulatory risk and innovation at the ICO, said the reports about Grok “raise deeply troubling questions about how people’s personal data has been used.” “Losing control of personal data in this way can cause immediate and significant harm. This is particularly the case where children are involved,” Malcolm said. “Where we find obligations have not been met, we will take action to protect the public.” While the ICO’s investigation will focus on X and xAI’s compliance with U.K. data protection law, Malcolm said it would work closely with other regulators in the U.K. and abroad that are also investigating the issue. Ofcom, the U.K.’s communications regulator, opened a formal investigation into X last month under the Online Safety Act. That investigation is ongoing, Ofcom said on Tuesday. It is progressing “as a matter of urgency” but could take “months,” Ofcom added, noting that it must follow a “fair process” and “it would not be appropriate to provide a running commentary.” Ofcom also said it is not currently investigating xAI, which provides the standalone Grok AI tool, noting that “it can only take action on online harms covered by the [OSA].” The act does not apply to AI tools which do not involve searching the internet, interacting with other social media users, or generating pornography, it said. The U.K.’s Technology Secretary Liz Kendall has previously said she is assessing options to address “gaps” in the OSA. The European Commission announced its own probe into X last month, while French authorities searched X’s offices in Paris on Tuesday as part of their own criminal investigation into Grok, POLITICO reported. X did not immediately respond when contacted for comment.

Disclaimer POLITICAL ADVERTISEMENT * The sponsor is SAP SE * The advertisement is linked to advocacy on strengthening Europe’s digital sovereignty by promoting trusted cloud and AI adoption under EU law, harmonized regulation, accountable governance and openness to global innovation to enhance security, competitiveness and strategic autonomy. More information here.

BRUSSELS — The European Union is pressing ahead with talks to grant United States border authorities unprecedented access to Europeans’ data, despite growing concerns about American surveillance. The European Commission is brokering a deal to exchange information about travelers, including fingerprints and law enforcement records, so the U.S. can determine if they “pose a risk to public security or public order,” according to official documents. Commission officials flew to Washington last week for the first round of negotiations, according to two people familiar with the matter. The Trump administration’s request for deeper access comes after the U.S. border agency in December proposed reviewing five years of social media history. Talks are happening as the U.S. Immigration and Customs Enforcement (ICE) service is under heavy scrutiny for its use of surveillance technology against protesters in cities such as Minneapolis. The negotiations should be “put on hold” until the security and privacy of citizens in the EU and U.S. can be guaranteed, liberal European Parliament member Raquel García Hermida-van der Walle said in an interview. Romain Lanneau, a legal researcher with surveillance watchdog Statewatch, said police databases in Europe could contain information on anyone from protesters to journalists who might be considered a “threat,” and that — under the deal being discussed — this information would be at the fingertips of U.S. border authorities who could refuse those people entry to the United States or even detain them. European regulators are “very cautiously looking at what’s happening in the United States,” Wojciech Wiewiórowski, the EU’s in-house data protection supervisor, told POLITICO. Europe “has to be careful” about how it allows the data of Europeans to flow to the U.S., he said.  Hermida-van der Walle in January co-signed a letter by six prominent lawmakers calling on the Commission to stand down given the “current geopolitical context,” despite Washington’s admonition that failure to reach a deal will mean Europeans lose access to its visa waiver program. UNPRECEDENTED ACCESS The U.S. is seeking access to information including biometric data such as fingerprints that is stored on national databases in European countries, according to an explanatory note sent to national experts. The data would be used to “address irregular migration and to prevent, detect, and combat serious crime and terrorist offences,” the note said. In an earlier opinion on the deal, the European Data Protection Supervisor (EDPS) — a watchdog that advises the Commission on privacy policies — noted the deal would be the first of its kind to enable “large-scale sharing of personal data … for the purpose of border and immigration control” with a non-EU country. The Commission would negotiate a framework deal that would serve as a template for bilateral agreements called Enhanced Border Security Partnerships (EBSPs), which national governments agree with Washington. EU countries in December signed off on the Commission’s request to start talks with the U.S. Washington is pressuring its EU counterparts by imposing a deadline for the bilateral deals to be agreed by the end of 2026. If countries fail to reach a deal with the U.S. they risk being cut from the latter’s visa waiver program. The U.S has made it mandatory for all countries that are part of the visa waiver program to have an EBSP in place. “The pressure which the United States is extorting on our member states, the threats that if you don’t agree with this we will cancel your access to the visa waiver program, that is an element of blackmail that we cannot let go,” Hermida-van der Walle said. The EDPS watchdog has cautioned that the scope of data sharing should be as narrow as possible, with clear justifications for every query; transparency around how the data is used; and judicial redress available in the U.S. for any person. Commission spokesperson Markus Lammert emphasised at a recent press briefing that the framework being negotiated will involve “clear and robust safeguards on data protection,” and will ensure “a non-systematic nature of the information exchange and that the exchange is limited to what is strictly necessary to achieve the objectives of this cooperation.”  US PRIVACY UNDER PRESSURE Access to the data is the latest issue putting pressure on a troubled relationship between the U.S. and the EU on data privacy. Since whistleblower Edward Snowden in 2013 revealed U.S. mass surveillance practices affecting Europeans, the EU has tightened controls on how Washington handles Europeans’ data. Since the return of Donald Trump as president last year, officials and rights groups have deplored a move by the U.S. administration to gut a key privacy watchdog tasked with overseeing privacy safeguards in place to protect Europeans. The Trump administration has also been ramping up mass surveillance of citizens by federal agencies like ICE, including through contracts with Israeli spyware company Paragon, surveillance giant Palantir and other firms. Capgemini, a prominent French IT firm, on Sunday said it was selling off its American activities after it faced political backlash from the French government that its software was being used by ICE authorities. Civil rights groups, lawmakers and other watchdogs fear the new EU-U.S. data sharing deals would add to backsliding on privacy rights.    “The current initiatives are being presented as toward counter-terrorism, but a lot of them are actually adopted for the chilling effect [on political activism],” Statewatch’s Lanneau said. Hermida-van der Walle, the liberal lawmaker, warned: “If people have to go to the United States, if it’s not a choice but something that they have do, there is a risk of self-censoring.”  “This comes from an administration who claims to be the biggest defender of free speech. What they’re doing with their actions is curtailing the possibility of people to express themselves freely, because otherwise they might not get access into the country,” she said.

The Netherlands’ incoming government wants to push Europe toward a tighter intelligence-sharing club — including what it calls a potential “European equivalent” of the Five Eyes alliance — as part of a broader overhaul of its security services. The new coalition argues, in its governing plans published Friday, that rising threats require faster and more proactive intelligence agencies while preserving the country’s tradition of operating under strict rule-of-law safeguards. The proposals include boosting funding and digital infrastructure for the civilian intelligence agency (AIVD) and military intelligence service (MIVD), and strengthening the role of the national counterterrorism coordinator. At the European level, The Hague says it wants to intensify cooperation with a core group of like-minded countries, explicitly floating a continent-wide version of the “Five Eyes” intelligence partnership (which is made up of Australia, Canada, New Zealand, the U.K., and the U.S.). In October, the heads of the two Dutch agencies announced they would stop sharing certain information with their U.S. counterparts, citing political interference and human rights concerns. Instead they would look at increasing cooperation with other European services, like the U.K., Poland, France, Germany and the Nordic countries. Domestically, the government plans to fast-track a revamped Intelligence and Security Services Act, rewriting the law to focus on threats rather than specific investigative tools and making it “technology-neutral” so agencies are not outpaced by innovation. Supervisory bodies would be merged to provide streamlined, but legally robust, oversight. The agenda also calls for expanding the operational research capacity of Dutch intelligence services to help build Europe’s “strategic autonomy,” while deepening ties with tech firms and recruiting top technical talent.

BRUSSELS — An identity tool that underpins the digital lives of Dutch people and has partly fallen into American hands is prompting the country to reconsider its reliance on U.S. technology. In the Netherlands, almost every citizen regularly uses the online identification tool DigiD to book a doctor’s appointment, buy a house or access online public services. With a Dutch supplier of the tool in the process of being acquired by a U.S. technology company, that’s prompting concerns that the Netherlands is giving away critical technology at a moment of heightened sensitivity around the country’s wholesale use of American services. As Dutch lawmakers in the parliament’s digital affairs committee met Tuesday to debate the issue, they received a petition signed by 140,000 people calling on the government to block the acquisition. “If the Dutch government does something that [U.S. President Donald] Trump doesn’t like, he can shut down our government with one push of a button,” the petition reads. “That’s a big danger.”  The debate over DigiD has put the spotlight on a topic that has been simmering for a while.  With the Netherlands a long-time proponent of the transatlantic relationship, Dutch society is built on U.S. technology and IT services — as is the country’s government. That’s now seen as a glaring security issue as Trump fires off threats toward Europe.  Two-thirds of the domain names of Dutch governments, schools and other critical companies rely on at least one U.S. cloud provider, research by the Dutch public broadcaster showed Sunday, with Microsoft the frontrunner.  “We are the most Microsoft-loving country of the whole world,” said Bert Hubert, a Dutch cybersecurity expert and former intelligence watchdog. “The Dutch government uses more Microsoft than the U.S. government.” OMNIPRESENT Questions over DigiD’s relationship with U.S. technology started in early November.  U.S. cloud provider Kyndryl, a recent spin-off of the well-known U.S. tech company IBM, announced at the time that it would acquire Dutch cloud provider Solvinity. That company doesn’t own the online identification tool DigiD but provides the platform on which it runs.  To Dutch people, DigiD is ubiquitous in their lives. “Every time you want to rent a house in the Netherlands, make an appointment with the doctor or do something in the hospital, you have to go through DigiD,” Hubert said.  Potential U.S. control over such an omnipresent tool triggered fierce pushback.  Last year the International Criminal Court, based in The Hague, ditched Microsoft as a service provider amid concerns about U.S. sanctions targeting the court. | Erik S. Lesser/EPA Putting vital digital infrastructure in American hands “raises Dutch vulnerability for outages, manipulation or even blackmail,” a group of experts, among them Hubert, said in a letter their lawyers sent mid-January to the ministry service in charge of scrutinising acquisitions.   The acquisition could also endanger the security of Dutch people’s sensitive personal data, lawmakers and experts argue. “The risk is that it falls under the U.S. Cloud Act, which says that it doesn’t matter if data is hosted on EU soil, but if the service is done by a U.S. company, then the [U.S.] government can ask for that data,” said Barbara Kathmann, lawmaker of the GreenLeft-Labour party and expert in digital affairs.  The Dutch Economy Ministry is now looking into the deal and whether it raises national security concerns, a ministry representative said in the Dutch parliament last week. Kyndryl said in a statement that it “always lived up to relevant Dutch and European requirements for the security of customers’ data and will continue to comply with existing obligations of Solvinity to its customers.” CAUTIONARY TALE The Solvinity acquisition has put the spotlight on a topic that has been simmering for a while.  Last year the International Criminal Court, based in The Hague, ditched Microsoft as a service provider amid concerns about U.S. sanctions targeting the court.  The ICC case and the Solvinity acquisition should serve as a cautionary tale for Europe to start mapping its reliance on the U.S. and nurturing European alternatives, said Sarah El Boujdaini, a lawmaker for the centrist D66 — the party of the incoming prime minister Rob Jetten. “We need to have a wider look at where our most vulnerable dependencies are, where we need to take back control, and where we need to procure more from European companies,” said El Boujdaini.  That should include a particular focus on government services and services that people access continually, several interviewees said. “Traditional government services should not be outsourced to other countries, especially not countries that are willing and have shown to be capable of weaponizing those dependencies,” said Dutch liberal European Parliament lawmaker Bart Groothuis.  “Of course [the government] should make use of the services of ICT providers,” said Hubert, “but what you should not do is give a part of your society that you depend on 24 hours a day to a company that can be acquired.”

BRUSSELS — The European Commission’s vice president Henna Virkkunen sounded the alarm about Europe’s dependence on foreign technology on Tuesday, saying “it’s very clear that Europe is having our independence moment.” “During the last year, everybody has really realized how important it is that we are not dependent on one country or one company when it comes to some very critical technologies,” she said at an event organized by POLITICO. “In these times … dependencies, they can be weaponized against us,” Virkkunen said. The intervention at the event — titled Europe’s race for digital leadership — comes at a particularly sensitive time in transatlantic relations, after U.S. President Donald Trump’s recent threats to take over Greenland forced European politicians to consider retaliation. Virkkunen declined to single out the United States as one of the partners that the EU must de-risk from. She pointed to the Covid-19 pandemic and Russia’s invasion of Ukraine as incidents that point to Europe’s “vulnerabilities.” She said the U.S. is a key partner, but also noted that “it’s very important for our competitiveness and for our security, that we have also our own capacity, that we are not dependent.” The Commission’s executive vice president for tech sovereignty swung behind the idea of using public contracts as a way to support the development of European technology companies and products. “We should use public procurement, of course, much more actively also to boost our own growing technologies in the European Union,” she said when asked about her stance on plans to “Buy European.” Those plans, being pushed by the French EU commissioner Stéphane Séjourné, in charge of European industy, to ensure that billions in procurement contracts flow to EU businesses, are due to be outlined in an upcoming Industrial Accelerator Act that has been delayed multiple times. “Public services, governments, municipalities, regions, also the European Commission, we are very big customers for ICT services,” Virkkunen said. “And we can also boost very much European innovations [and startups] when we are buying services.” Virkkunen is overseeing a package of legislation aimed at promoting tech sovereignty that is expected to come out this spring, including action on cloud and artificial intelligence, and microchips — industries in which Europe is behind global competitors. When asked where she saw the biggest need for Europe to break away from foreign reliance, the commissioner said that while it was difficult to pick only one area, “chips are very much a pre-condition for any other technologies.” “We are not able to design and manufacture very advanced chips. It’s very problematic for our technology customer. So I see that semiconductor chips, they are very much key for any other technologies,” she said.

Germany and Italy on Friday backed an organization dedicated to fighting hybrid threats and disinformation, weeks after the United States exited it and called it “wasteful.” Since the start of the war in Ukraine, Russia has hammered Europe with hybrid attacks ranging from cyberattacks, destruction of property and transport links, disinformation, drone incursions and even attempted assassinations. Analysts argue the aim of the hybrid campaign is to reduce European support for Ukraine.  Italian Prime Minister Giorgia Meloni and German Chancellor Friedrich Merz met in Rome to adopt a “plan of action for strategic bilateral and EU cooperation.” In the joint plan, the two countries committed to “strengthening” the European Centre of Excellence for Countering Hybrid Threats. The center was one of dozens of organizations from which U.S. President Donald Trump withdrew in early January on the grounds that they were “wasteful, ineffective, and harmful.” Meloni and Merz committed to “exchange on hybrid threats, information resilience and strategic communications,” as well as prioritizing a wide range of cybersecurity policies such as the protection of critical infrastructure, cyber capacity building projects and tackling cybercrime. They also said they will “prioritize disruptive and dual-use technologies” for cyber defense. The two European leaders also pushed to boost the EU’s intelligence-sharing capacities, in particular the “hybrid fusion cell” within the EU Intelligence and Situation Centre (EU INTCEN).

BRUSSELS — The U.S. and EU are hoping to attract $800 billion of public and private funds to help rebuild Ukraine once Russia ends its full-scale invasion, according to a document obtained by POLITICO. The 18-page document outlines a 10-year plan to guarantee Ukraine’s recovery with a fast-tracked path toward EU membership. The European Commission circulated the plans with EU capitals ahead of the leaders’ summit Thursday evening where the document, dated Jan. 22, was addressed, according to three EU officials and diplomats who were granted anonymity to talk about the sensitive topic. While Brussels and Washington are lining up hundreds of billions of dollars in long-term funding and pitching Ukraine as a future EU member and investment destination, the strategy hinges on a ceasefire that remains elusive — leaving the prosperity plan vulnerable as long as the fighting continues. The funding strategy stretches until 2040 alongside an immediate 100-day operational plan to get the project off the ground. But the prosperity plan will struggle to attract outside investment if the conflict rumbles on, according to the world’s largest money manager, BlackRock, which is advising on the reconstruction plan in a pro-bono capacity. “Think about it. If you’re a pension fund, you’re fiduciary towards your clients, your pensioners. It’s nearly impossible to invest into a war zone,” BlackRock’s vice chairman, Philipp Hildebrand, said Wednesday in an interview at the World Economic Forum in Davos. “I think it has to be sequenced and that’s going to take some time.” The prosperity plan is part of a 20-point peace blueprint that the U.S. is attempting to broker between Kyiv and Moscow. It explicitly assumes that security guarantees are already in place and is not intended as a military roadmap. Instead, it focuses on how Ukraine can transition from emergency assistance to self-sustaining prosperity. A three-way meeting between Ukraine, Russia and the U.S. will take place in Abu Dhabi on Friday and Saturday, as the all-out conflict nears its fourth anniversary. The U.S. is set to play a prominent role in Ukraine’s recovery. Rather than framing Washington primarily as a donor, the document positioned the U.S. as a strategic economic partner, investor and credibility anchor for Ukraine’s recovery.  The note anticipates direct participation by U.S. companies and expertise on the ground, and highlights America’s role as a mobilizer of private capital. BlackRock’s chief executive, Larry Fink, has sat in on peace talks with Kyiv alongside U.S. President Donald Trump’s son-in-law, Jared Kushner, and his special envoy, Steve Witkoff. SHOW ME THE MONEY Over the next 10 years, the EU, the U.S. and international financial bodies, including the International Monetary Fund and the World Bank, have pledged to spend $500 billion of public and private capital, the document said. The Commission intends to spend a further €100 billion on Kyiv through budget support and investment guarantees, as part of the bloc’s next seven-year budget from 2028. This funding is expected to unlock €207 billion in investments for Ukraine. The U.S. pledged to mobilize capital through a dedicated U.S.-Ukraine Reconstruction Investment Fund, but did not attach a figure.  While Trump has slashed military and humanitarian support to Ukraine during the war, it showed willingness to invest in the country after the end of the conflict. Washington said in the document that it will invest in critical minerals, infrastructure, energy and technology projects in Ukraine.  But business is unlikely to boom before the eastern front falls silent. “It’s very hard to see that happening at scale as long as you have drones and missiles flying,” BlackRock’s Hildebrand said. Kathryn Carlson reported from Davos, Switzerland.

China’s foreign ministry on Wednesday said a new European Commission proposal to restrict high-risk tech vendors from critical supply chains amounted to “blatant protectionism,” warning European officials that Beijing will take “necessary measures” to protect Chinese firms. Beijing has “serious concerns” over the bill, Chinese foreign ministry spokesperson Guo Jiakun told reporters, according to state news agencies’ reports. “Using non-technical standards to forcibly restrict or even prohibit companies from participating in the market, without any factual evidence, seriously violates market principles and fair competition rules,” Guo said. The European Commission on Tuesday unveiled its proposal to revamp the bloc’s Cybersecurity Act. The bill seeks to crack down on risky technology vendors in critical supply chains ranging across energy, transport, health care and other sectors. Though the legislation itself does not name any specific countries or companies, it is widely seen as being targeted at China. 5G suppliers Huawei and ZTE are in the EU’s immediate crosshairs, while other Chinese vendors are expected to be hit at a later stage. European Commission spokesperson Thomas Regnier responded to the Chinese foreign ministry, saying Europe has allowed high-risk vendors from outside the EU in strategic sectors for “far too long.” “We are indeed radically changing this. Because we cannot be naive anymore,” Regnier said in a statement. The exclusion of high-risk suppliers will always be based on “strong risk assessments” and in coordination with EU member countries, he said. China “urges the EU to avoid going further down the wrong path of protectionism,” the Chinese foreign ministry’s Guo told reporters. He added the EU bill would “not only fail to achieve so-called security but will also incur huge costs,” saying some restrictions on using Huawei had already “caused enormous economic losses” in Europe in past years. European telecom operators warned Tuesday that the law would impose multi-billion euro costs on the industry if restrictions on using Huawei and ZTE were to become mandatory across Europe. A Huawei spokesperson said in a statement that laws to block suppliers based on their country of origin violate the EU’s “basic legal principles of fairness, non-discrimination, and proportionality,” as well as its World Trade Organization obligations. The company “reserve[s] all rights to safeguard our legitimate interests,” the spokesperson said. ZTE did not respond to requests for comment on the EU’s plans.

BRUSSELS — A new EU rule mandating that a higher proportion of passengers pass through electronic identity border checks risks “wreaking significant discomfort on travelers,” warned the head of the bloc’s airport lobby. But a Commission spokesperson insisted that the electronic check system, which first went into limited use in October with a higher proportion of travelers to be checked from Friday, “has operated largely without issues.” The new Entry/Exit System is aimed at replacing passport stamps and cracking down on illegal stays in the bloc. Under the new system, travelers from third countries like the U.K. and the U.S. must register fingerprints and a facial image the first time they cross the frontier before reaching a border officer. But those extra steps are causing delays. In October, 10 percent of passengers had to use the new system; as of Friday, at least 35 percent of non-EU nationals entering the Schengen area for a short stay must use it. By April 10, the system will be fully in place. Its introduction last year caused issues at many airports, and industry worries that Friday’s step-up will cause a repeat. The EES “has resulted in border control processing times at airports increasing by up to 70 percent, with waiting times of up to three hours at peak traffic periods,” said Olivier Jankovec, director general of ACI Europe, adding that Friday’s new mandate is “sure to create even worse conditions.” Brussels Airport spokesperson Ihsane Chioua Lekhli said: “The introduction of EES has an impact on the waiting time for passengers and increases the need for sufficient staffing at border control,” adding: “Peak waiting times at arrival (entry of Belgium) can go up to three hours, and we also saw an increase of waiting times at departures.” But the Commission rejected the accusation that EES is wreaking havoc at EU airports. “Since its start, the system has operated largely without issues, even during the peak holiday period, and any initial challenges typical of new systems have been effectively addressed, moreover with it, we know who enter in the EU, when, and where,” said Markus Lammert, the European Commission’s spokesperson for internal affairs. Lamert said countries “have refuted the claim” made by ACI Europe of increased waiting times and that concerns over problems related to the new 35 percent threshold have been “disproven.” That’s in stark contrast with the view of the airport lobby, which pointed to recent problems in Portugal. Under the new system, travelers from third countries like the U.K. and the U.S. must register fingerprints and a facial image the first time they cross the frontier before reaching a border officer. | iStock “There are mounting operational issues with the EES rollout — the case in point being the suspension of the system by the Portuguese government over the holidays,” Jankovec said. In late December, the Portuguese government suspended the EES at Lisbon Humberto Delgado Airport for three months and deployed military personnel to bolster border control capabilities. ADR, which operates Rome Fiumicino Airport, is also seeing issues. “Operational conditions are proving highly complex, with a significant impact on passenger processing times at border controls,” ADR said in a written reply. Spain’s hotel industry association asked the country’s interior ministry to beef up staffing, warning of “recurring bottlenecks at border controls.” “It is unreasonable that, after a journey of several hours, tourists should face waits of an hour or more to enter the country,” said Jorge Marichal, the lobby’s president. The Spanish interior ministry said the EES is being used across the country with “no queues or significant incidents reported to date.” However, not all airports are having trouble implementing the new system. The ADP Group, which manages the two largest airports in Paris, said it has “not observed any chaos or increase in waiting times at this stage.”