The emergence of DeepSeek, a Chinese AI startup, has sparked significant debate. The company's large language model has garnered attention for its potential impact on the tech industry and its compliance with data protection regulations. Now, it faces scrutiny from European consumer groups and data watchdogs over concerns related to GDPR and the handling of personal information.

Data Protection at Risk: DeepSeek Faces Legal Challenges in Europe

Initial Complaints and Regulatory Actions

Euroconsumers, a coalition of European consumer organizations, has taken the first major step against DeepSeek by filing a complaint with the Italian Data Protection Authority (DPA). This move highlights growing concerns about how DeepSeek manages personal data within the framework of the General Data Protection Regulation (GDPR). According to Euroconsumers, the practices of DeepSeek could potentially put the data of millions of Italians at risk. The Italian DPA has since issued an official request for information, giving DeepSeek 20 days to respond.The complaint underscores the complexities surrounding international data transfers, especially when services like DeepSeek operate from countries with different regulatory environments. While DeepSeek claims to adhere to applicable data protection laws, the specifics of these practices remain under intense scrutiny. The Italian DPA seeks detailed explanations regarding the types of personal data collected, the sources from which it is obtained, and the purposes for which it is used. Additionally, the authority is probing the legal basis for processing this data and the specifics of the servers located in China.

Data Transfers and Privacy Policies

DeepSeek’s operations are based in China, where both Hangzhou DeepSeek Artificial Intelligence and Beijing DeepSeek Artificial Intelligence manage its infrastructure. The company’s privacy policy indicates that all collected data is stored in its home country. However, the lack of transparency around these practices has raised red flags among regulators. Euroconsumers, which previously succeeded in challenging Grok over data usage, now questions whether DeepSeek adequately informs users about the processing of their data, particularly through web scraping activities.Moreover, there are concerns about the protection of minors using DeepSeek’s services. Despite stating that the platform is not intended for users under 18, DeepSeek lacks robust mechanisms for age verification. For younger users between 14 and 18, the company suggests reviewing the privacy policy with an adult, but this guidance falls short of comprehensive safeguards. These gaps highlight the need for stricter oversight to ensure compliance with GDPR requirements and protect vulnerable populations.

Potential Broader Implications

The actions taken by Euroconsumers and the Italian DPA may signal the beginning of broader investigations into DeepSeek’s practices. At a recent press conference, Thomas Regnier, Spokesperson for Tech Sovereignty at the European Commission, addressed concerns about security, privacy, and censorship. Although Regnier emphasized that it is too early to comment on specific investigations, he affirmed that all AI services offered in Europe must comply with the region’s rules, including the AI Act.Regnier also touched upon the issue of censorship, noting that topics deemed politically sensitive in China could pose challenges for free speech in Europe. While no formal investigation has been initiated, the Commission’s stance underscores the importance of adhering to established frameworks to address potential issues. As more information emerges, the European authorities will likely continue to monitor DeepSeek closely, ensuring that its operations align with the continent’s stringent data protection standards.