Full Report
The joint statement comes on the heels of the Grok AI chatbot creating and sharing millions of images of “nudified” real people.
Analysis Summary
# Regulation/Compliance: Joint Warning on AI-Generated Depictions of Real People
## Overview
This summary outlines the joint statement released by data protection authorities (DPAs) from 61 countries, addressing serious concerns about the development and use of AI content generation systems that produce realistic images and videos depicting identifiable individuals without their knowledge or consent. This statement was prompted by incidents such as the creation and sharing of nonconsensual intimate imagery ("nudified" images) by the Grok AI chatbot.
## Key Details
- **Issuing Authority:** A coalition of Data Protection Authorities (DPAs) from 61 countries (including most of Europe, Canada, South Korea, UAE, Mexico, Argentina, and Peru. The U.S. is noted as a non-signer).
- **Effective Date:** The joint statement was published on Monday, February 23rd, 2026. Specific new regulatory mandates mentioned (like the UK's) have their own effective dates based on the article context.
- **Jurisdiction:** Primarily covers the jurisdictions of the 61 signing DPAs, reflecting global concern over data privacy, dignity, and safety in the context of AI.
- **Status:** **Guidance/Warning Statement**. This is a joint call to action, reinforcing existing data protection laws, though it also references imminent or existing national mandates (e.g., the UK's forthcoming requirements).
## Requirements
### Mandatory Requirements (Based on the Warning and Referenced National Contexts)
1. **Safeguard Against Nonconsensual Depictions:** Organizations developing or using AI must implement robust safeguards from the outset to prevent these systems from generating realistic images or videos depicting identifiable individuals without their knowledge and consent.
2. **Block Harmful Content:** Specifically block the ability to generate nonconsensual intimate imagery (NCII), defamatory depictions, and content contributing to cyberbullying or child exploitation.
3. **Adherence to Existing Law:** Organizations must ensure their AI practices comply with existing national laws in signatory countries, noting that the creation of NCII is already illegal in many jurisdictions.
4. **Proactive Regulatory Engagement:** Organizations are specifically called upon to engage proactively with regulators regarding these AI systems.
### Recommended Practices
1. **Ensure Dignity and Fundamental Rights:** Technological advancement must not compromise the privacy, dignity, safety, and fundamental rights of individuals, especially the vulnerable.
2. **Implement Robust Safeguards:** Establish and integrate strong internal controls and technical measures within AI platforms designed to prevent misuse immediately.
## Affected Organizations
- **Industries:** Organizations developing or deploying generative AI content systems, social media platforms hosting or enabling such content, and any entity using these tools to depict real individuals.
- **Organization Size:** The warning is addressed broadly, but the severity of referenced penalties (e.g., percentage of global revenue) targets large, internationally operating technology companies.
- **Geographic Scope:** Applies to organizations operating within or targeting citizens of the 61 signatory DPA jurisdictions.
## Compliance Timeline
The statement itself is an immediate call to action (Feb 23, 2026). Specific hard deadlines mentioned related to national legislation appear to be pending or forthcoming:
- **Immediate Action:** Engage proactively with regulators and implement robust safeguards immediately.
- **UK Specific (Contextual):** Tech companies will be **required to remove intimate images shared without consent within 48 hours** once the mandated legislation takes effect.
- **Final deadline:** Full compliance depends on the enforcement timelines of the individual DPAs in the signatory countries, driven by the urgency highlighted in the statement.
## Implementation Guidance
### Assessment Phase
- **Verify Identity Resolution:** Assess AI models' ability to realistically generate identifiable individuals and identify pathways for prompt injection or failure states that lead to the creation of prohibited content (NCII, defamation).
- **Policy Review:** Review AI usage policies against the fundamental rights emphasized by the DPAs (privacy, dignity, safety).
### Implementation Phase
- **Implement Technical Filters:** Deploy and continuously update content filtering layers designed to screen inputs and outputs for patterns matching NCII or harmful depictions.
- **Consent Mechanism Validation:** Establish clear processes for documenting and verifying explicit consent when the likeness of a real person is intentionally used or generated for legitimate purposes.
### Validation Phase
- **Red-Teaming/Testing:** Conduct regular, rigorous testing (including adversarial testing) to ensure safeguards against generating prohibited material remain effective across various versions and deployments of the AI system.
- **Audit Trails:** Maintain auditable records on content generation requests and refusals related to real individual depictions.
## Technical Requirements
While not a single standard, the requirements imply:
1. **Input/Output Content Filtering:** Mandatory use of classifiers/filters to block prompts and generated outputs related to NCII and defamatory content.
2. **PII/Biometric Handling:** Strict protocols must govern any training data or parameters that allow the system to map attributes to specific, identifiable real persons (implied data minimization/privacy by design).
## Penalties & Enforcement
The article highlights penalties referenced by an accompanying national announcement (UK), which sets a high benchmark for severe enforcement actions:
- **Fines:** Up to **10% of the company’s "qualifying" global revenue** (as seen in the referenced UK context).
- **Other Consequences:** Potential for the service to be **blocked in the country** (e.g., the UK).
- **Enforcement:** Enforcement will be carried out by the respective Data Protection Authorities in each of the 61 signatory nations, leveraging existing data protection (e.g., GDPR-like) frameworks, supplemented by specific legislation like the one mentioned in the UK.
## Related Standards
- **GDPR (General Data Protection Regulation):** While not explicitly cited as the basis for the joint statement, the principles of privacy infringement, dignity, and the severity of fines strongly align with GDPR enforcement mechanisms, particularly Article 5 (Principles relating to processing of personal data).
- **Sector-Specific AI Legislation:** Organizations should monitor upcoming regional AI acts (e.g., the EU AI Act, which categorizes certain AI uses as "unacceptable risk") for formal alignment.
## Resources
- **Official Documentation:** Joint Statement on AI-Generated Imagery (The specific PDF link cited in the article: `https://ico.org.uk/media2/fb1br3d4/20260223-iewg-joint-statement-on-ai-generated-imagery.pdf`)
- **Guidance Documents:** Relevant national guidance from DPAs concerning deepfakes, NCII, and privacy implications of generative AI.
- **Tools:** Internal AI safety and filtering toolsets.
## Practical Recommendations
1. **Prioritize NCII Mitigations:** Treat the prevention of nonconsensual intimate imagery as a top critical priority, implementing technical controls immediately.
2. **Global Risk Mapping:** Map current AI deployments against the 61 jurisdictions involved in the warning to understand immediate regulatory exposure.
3. **Establish Response Procedures:** Develop and test a 48-hour (or faster) escalation and takedown procedure for confirmed harmful or nonconsensual generated content impacting identifiable individuals.
4. **Document Proactive Measures:** Catalog all safeguards implemented to demonstrate "proactive engagement" when interacting with DPAs.