The Chinese AI company, DeepSeek, has made headlines since launching its DeepSeek-R1 application on 20 January 2025, becoming Apple Store’s most downloaded free appAn application, downloaded by a user to a mobile or other device..
With advanced reasoning capabilities similar to ChatGPT, DeepSeek has quickly become a popular tool for users worldwide. However, its rise has sparked significant privacy and security concerns, especially regarding its data processing activities.
DeepSeek’s privacy policy states that user inputs, including personal and commercially sensitive information, may be stored indefinitely, used for AI training, and shared within its corporate group and with advertising partners.
All data collected by DeepSeek is stored in China, where privacy protections differ significantly from those in the UK and EU, where individuals are afforded strict provisions under the General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR). This has escalated concerns over potential government access to user data under Chinese law.
Italy’s data protection authority, the Garante has officially banned DeepSeek citing concerns over its compliance with EU privacy regulations. This decision follows an investigation and echoes the regulator’s previous action against ChatGPT, which was temporarily banned in Italy over similar concerns.
DeepSeek must now address these compliance concerns before it can resume operations in Italy. Other EU Member State regulatory authorities are also initiating similar concerns, with Ireland’s Data Protection Commission (DPC) requesting information from DeepSeek regarding its data processing activities concerning Irish users.
David Smith, DPO and AI Sector Lead at The DPO Centre warns that DeepSeek follows a familiar pattern seen with other free-to-use large language models (LLMs).
‘DeepSeek, like the free version of ChatGPT, reserves the right to store and use input data, including personal and commercially sensitive data, for AI training. This means anything you submit could be incorporated into future outputs. Additionally, DeepSeek’s privacy policy allows data sharing within its corporate group and with advertising partners, raising further concerns.
‘As any input data is stored in China, users should be aware that their information is subject to Chinese law, which does not offer the same privacy protections as the GDPR. While DeepSeek’s technological advancements are impressive, its privacy policiesA term used to describe a series of documents (such as Privacy Notices and Registers of Processing Activities) which are used to account and explain to data subjects how their data is to be processed (most commonly associated with website ‘privacy policies’). seem to uphold the well-known adage that “if you aren’t paying for the product, you are the product.”
‘Like many services before it, DeepSeek appears to offer a free service in return for unfettered use of submitted data, with no true user control.
‘The Garante’s ban on DeepSeek in Italy may be followed by other European regulators pending adequate proof of DeepSeek’s compliance with EU law. DeepSeek’s response that they do not operate in Italy demonstrates a flawed understanding of the extra-territorial scope of the GDPR.
‘The DPO Centre advises caution when using personal or sensitive data with Software as a Service (SaaS) providers, especially Generative AI (Gen AI) tools.
‘Ensure providers have clear data processing policies that prevent them from using your data for their own purposes, including model training. Conduct thorough due diligence on security and data storage locations.
‘While DeepSeek may evolve into an enterprise-ready solution, its current practices raise concerns. We strongly advise against professional use involving personal or commercially sensitive data.
‘We will follow the investigations with interest and keep you updated with any further information.’
If your organisation would benefit from expert data protection guidance and support for any AI-technology deployment, The DPO Centre offers a range of AI Governance services.
For more news and insights about data protection follow The DPO Centre on LinkedIn