The jury is still out on whether the Chinese AI upstart DeepSeek is a game changer or part of an elaborate plan by its hedge fund parent company to short Nvidia and other tech stocks. Whichever it might be (maybe both?), DeepSeek and its large language model have made some major waves. And now, it’s catching the eye of data protection watchdogs.
Today the Irish Data Protection Commission confirmed to TechCrunch that it has sent a note to DeepSeek requesting details concerning how the data of citizens in Ireland is processed by the company. “The Data Protection Commission (DPC) has written to DeepSeek requesting information on the data processing conducted in relation to data subjects in Ireland,” said a spokesperson.
The letter from Ireland’s DPA was sent less than 24 hours after the data protection watchdog in Italy sent a similar note to the company. DeepSeek has yet to respond to either request publicly. However, its mobile app no longer appears in both the Google and Apple app stores in Italy.
The Italian move appeared to be the first major move from one such watchdog since DeepSeek went positively viral in recent days, Euroconsumers, a coalition of consumer groups in Europe, has filed a complaint to the Italian Data Protection Authority related to how DeepSeek handles personal data in relation to GDPR, the data protection regulatory framework in Europe.
The Italian DPA confirmed today that it subsequently wrote to DeepSeek with a request for information. “A rischio i dati di milioni di persone in Italia,” it notes. (“The data of millions of Italians is at risk.”) DeepSeek has 20 days to respond.
Two key details about DeepSeek that many noticed are that the service is made and operates out of China. Per its privacy policy, this includes the information and data that DeepSeek collects and stores, which is also housed in its home country.
DeepSeek also briefly notes in its policy that when it transfers data to China from the country where DeepSeek is being used, it does so “in accordance with the requirements of applicable data protection laws.”
But Euroconsumers — the organization that brought a successful case against Grok last year over how it used data to train its AI — and the Italian DPA want more detail.
Addressing Hangzhou DeepSeek Artificial Intelligence and Beijing DeepSeek Artificial Intelligence, the Italian DPA said it wants to know what personal data is collected, from which sources, and for which purposes – including what information is used to train its AI system – along with what the legal basis is for processing. It also wants more details on those servers in China.
Further, it writes in its information request, it wants to know “in the event that personal data is collected through web scraping activities,” how users who are “registered and those not registered to the service have been or are informed about the processing of their data.”
The news outlet MLex notes that Euroconsumers also highlighted that there are no details regarding how DeepSeek protects or restricts minors on its services, from age verification to how it handles minors’ data.
(DeepSeek’s age policy notes that it is not intended for users under the age of 18, although it does not provide a way to enforce that. For those between the ages of 14 and 18, DeepSeek suggests these younger users read through the privacy policy with an adult.)
Euroconsumers and the Italian watchdog represent the first effort to make a move against DeepSeek. They might not be the last, although follow-ups may not be as swift.
Earlier today, DeepSeek was a prime topic at a press conference at the European Commission. Thomas Regnier, Commission Spokesperson for Tech Sovereignty, was asked whether there are concerns at the European level over DeepSeek related to security, privacy, and censorship. For now, though, the main message appeared to be: it’s too soon to say anything about any investigations.
“The services offered in Europe will respect our rules,” Regnier noted in a response to a question about data privacy, adding that the AI Act applies to all AI services offered in the region.
He declined to say whether DeepSeek, in the EU’s estimation, respected those rules or not. He was then asked whether the app’s censorship on topics that are politically sensitive in China fell afoul of free speech rules in Europe and if that merited an investigation. “These are very early stages, I’m not talking about an investigation yet,” Regnier said quickly in response. “Our framework is solid enough to tackle potential issues if they are here.”
Questions TechCrunch sent to the ICO in the U.K. about DeepSeek received a similar response: DeepSeek, in effect, will be subject to the same scrutiny as any other GenAI developer. But no further actions yet.
“Generative AI developers and deployers need to make sure people have meaningful, concise and easily accessible information about the use of their personal data and have clear and effective processes for enabling people to exercise their information rights,” said a spokesperson. “We will continue to engage with stakeholders on promoting effective transparency measures, without shying away from taking action when our regulatory expectations are ignored.”
Meanwhile, could new avenues of regulatory questioning open around areas like copyright and IP protection?
Many have marvelled at how DeepSeek’s very existence seems to challenge assumptions about the actual costs of training and operating an LLM or a generative AI service: its cheaper infrastructure and cost base undermine the idea that building foundational AI and running generative AI applications have to cost a fortune in chips, data center usage and energy consumption.
But more recently, some have started to raise questions about all that. Microsoft and OpenAI say that there appears to be evidence that it was partly trained on “distillations” from their proprietary models. There would be an uncanny irony in this if it proves to be true — given the many legal and other dramas that have swirled around how some LLM builders have allegedly regarded intellectual property and copyright.
We have contacted DeepSeek regarding the Italian DPA complaint and will update this post as more information becomes available. In the meantime, DeepSeek’s apps have now been pulled from the major Italian app stores, although it appears to still be live online in the country.
Updated with further detail on regulatory responses, legal issues and status of the service in Italy.
