Spain Launches Criminal Probe Into X, Meta, and TikTok Over AI Deepfakes

The Spanish government’s decision to pursue a criminal investigation against X, Meta, and TikTok marks a significant escalation in the global regulatory battle against generative AI harms. Unlike previous civil penalties under the Digital Services Act (DSA) or GDPR, this move by Madrid seeks to hold tech giants criminally liable for the proliferation of nonconsensual intimate imagery (NCII) and child sexual abuse material (CSAM) generated by artificial intelligence. The catalyst for this probe is the staggering scale of the issue: approximately 3 million AI-generated nude images, many featuring minors, were detected circulating across these platforms in a period of less than two weeks. This volume highlights a critical failure in existing automated moderation systems to keep pace with the rapid generation capabilities of modern AI tools and the sheer velocity of cloud-based distribution networks.

At the heart of the investigation is the role of recommendation algorithms. Elma Saiz, Spain’s Minister of Inclusion, Social Security, and Migration, explicitly stated that the government cannot allow such content to be 'amplified or emboldened' by the very systems designed to drive user engagement. This shifts the legal focus from the mere hosting of illegal content to the active promotion of it. For SaaS and social media providers, this signals a narrowing of 'safe harbor' protections. If a platform's algorithm identifies and pushes harmful AI-generated content to users, the platform may no longer be viewed as a neutral intermediary but as a participant in the distribution of illegal material. This is particularly relevant for the cloud infrastructure providers that host these generative models, as the liability chain could potentially extend to the compute layer if negligence is proven in the training or deployment phases of these technologies.

“

The Spanish government’s decision to pursue a criminal investigation against X, Meta, and TikTok marks a significant escalation in the global regulatory battle against generative AI harms.

The platforms involved have responded with varying degrees of defense. Meta Platforms emphasized its strict policies and the fact that its own AI tools are trained to refuse requests for nude imagery. TikTok similarly pointed to its 'robust systems' designed to thwart exploitation. However, the Spanish probe suggests that these internal safeguards are insufficient when faced with third-party AI tools—like open-source models or X’s Grok—whose outputs are then shared across the broader social ecosystem. X, under Elon Musk, has faced particular scrutiny for its more permissive content moderation stance, though the company maintains it has a zero-tolerance policy for child exploitation. The inclusion of Grok in this context is notable, as it represents a direct link between a platform's proprietary AI product and the content appearing on its feed, creating a tighter loop of corporate responsibility that regulators are now eager to exploit.

This investigation could set a precedent for how European Union member states handle AI-driven crimes. While the EU AI Act provides a regulatory framework, Spain is utilizing national criminal law to address the immediate 'mental health, dignity, and rights' of its citizens. Industry analysts should watch for whether other EU nations follow Spain’s lead, which could lead to a fragmented but highly aggressive legal landscape for US-based tech firms. Short-term consequences likely include mandatory audits of recommendation engines and potential requirements for more aggressive 'fingerprinting' of AI-generated content to prevent its re-upload. Long-term, this may force a fundamental redesign of how social algorithms prioritize content, moving away from raw engagement metrics toward a 'safety-by-design' architecture that can proactively identify and suppress deepfake clusters before they reach viral velocity. Furthermore, the criminal nature of the probe implies that individual executives could eventually face personal liability, a prospect that would drastically alter the risk-reward calculus for AI deployment in European markets, forcing companies to prioritize safety over rapid innovation cycles.