Artificial Intelligence & Machine Learning,
General Data Protection Regulation (GDPR),
Next-Generation Technologies & Secure Development
Privacy Concerns Arise from Data Storage Practices in China
In a significant move, the Italian data protection authority has initiated an investigation into the data storage and processing practices of the Chinese generative AI model, DeepSeek, following the model’s recent public launch of its R1 reasoning capability. This inquiry raises vital questions regarding the handling of personal data, especially for millions of Italian users.
The authority, known as Garante, has sent formal requests for information to DeepSeek’s parent companies, DeepSeek based in Hangzhou and DeepSeek Artificial Intelligence located in Beijing. Reports indicate that the Irish Data Protection Commission is also seeking clarity on the data management practices related to Irish citizens. Concerns escalate as the app garners popularity, placing DeepSeek under scrutiny amid worries about privacy compliance and data transparency.
Following the introduction of the R1 model, the confidence of investors in the U.S. AI sector has faltered, evident in the declining stock prices of tech companies. The growing consumer interest propelled DeepSeek to the forefront of the Apple App Store; however, the legitimacy of its alleged breakthrough in affordable AI technology is being questioned amid accusations of data misuse.
Garante’s statement emphasized the potential risks posed to the personal information of millions, highlighting concerns over the sources of data collection, the legal bases for data processing, and the physical locations of servers where this data is stored. DeepSeek has been given a 20-day period to respond to these inquiries. Recent reports confirm that DeepSeek’s app has been removed from both Apple and Google’s app stores in Italy as the regulatory oversight intensifies.
The inquiry stems from a formal complaint lodged by Euroconsumers, a coalition of five national consumer organizations, accusing DeepSeek of violating data privacy norms. The complaint articulates serious concerns around DeepSeek’s privacy policy, which allegedly reveals improper transfers of user data to servers located in China. This situation is further complicated by existing fragile legal frameworks that aim to safeguard European residents from foreign surveillance activities.
Among the concerns raised is the lack of transparency regarding DeepSeek’s automated decision-making processes and age verification mechanisms. Euroconsumers asserts that DeepSeek’s policies display multiple breaches of European and national data protection laws, intensifying the regulatory focus on the company’s operations.
Legal experts have noted that while the European Commission has established legal frameworks enabling commercial data flows with China, the absence of a European office for DeepSeek raises questions about its adherence to GDPR standards. Theodore Christakis, a professor of European and digital law at University Grenoble Alpes, remarked on the precarious situation for DeepSeek, warning that inadequate data protection measures could precipitate a compliance crisis under GDPR.
A spokesperson for the European Commission assured that the privacy of EU citizens would remain a top priority, affirming that any services offered within the EU would be mandated to comply with local regulations, including those pertaining to data privacy. This ongoing situation emphasizes the delicate balance between innovation in AI technology and the vital need for stringent regulatory compliance in the realm of data protection.
