The Chinese AI startup, DeepSeek, has recently attracted significant attention due to its rapid rise and the concerns it has raised among data protection watchdogs. The company's large language model has made waves in the tech industry, but now it is facing scrutiny from regulators in Europe. Within a short span of time, both the Irish and Italian data protection authorities have requested detailed information about how DeepSeek processes personal data, particularly concerning citizens within their jurisdictions. Additionally, consumer groups like Euroconsumers have filed complaints, emphasizing potential risks to millions of users' data privacy.

The core issues revolve around the handling of personal data, especially given that DeepSeek operates out of China. Questions are being raised about the legal basis for data processing, the sources of data used to train AI models, and the adequacy of protections for minors. Regulatory bodies are also investigating whether DeepSeek complies with GDPR and other European data protection laws. While DeepSeek has yet to publicly respond to these inquiries, its mobile app has already been removed from app stores in Italy, signaling the seriousness of the situation.

Data Protection Concerns Emerge in Ireland and Italy

Data protection authorities in Ireland and Italy have initiated inquiries into DeepSeek’s practices, focusing on how the company handles personal data of European citizens. The Irish Data Protection Commission (DPC) confirmed it has sent a request for information regarding data processing activities involving Irish residents. This action follows closely after the Italian Data Protection Authority (DPA) made a similar move, highlighting growing concerns over the security and privacy of user data.

The Italian DPA’s letter specifically seeks details on the types of personal data collected, the sources from which this data is obtained, and the purposes for which it is used. It also asks for clarification on the legal basis for processing such data and the specifics of the servers located in China where this information is stored. The authority emphasizes the risk to millions of Italians’ data, underscoring the urgency of ensuring compliance with GDPR and other relevant regulations. Euroconsumers, a coalition of European consumer groups, has further complicated matters by filing a complaint against DeepSeek, alleging inadequate protections for personal data.

Regulatory Challenges and Potential Legal Implications

DeepSeek’s operations, based in China, raise additional regulatory challenges, particularly concerning cross-border data transfers. The company’s privacy policy indicates that all collected data is stored in China, raising questions about adherence to European data protection laws. Regulators are keen to understand how DeepSeek ensures compliance when transferring data from Europe to China, especially in light of stringent requirements under GDPR.

Beyond data protection, there are emerging concerns about copyright and intellectual property rights. Some experts suggest that DeepSeek may have utilized “distillations” from proprietary models developed by companies like Microsoft and OpenAI, potentially infringing on intellectual property. This raises the possibility of further legal challenges. Meanwhile, the European Commission has indicated that while it is too early to comment on specific investigations, all AI services offered in Europe must comply with existing rules, including the AI Act. As DeepSeek faces mounting pressure from various fronts, the company will need to provide transparent and satisfactory responses to address these concerns and maintain its presence in the European market.