DeepSeek, a Chinese AI chatbot, has rapidly gained global popularity. However, its privacy practices have raised significant concerns among users and regulatory bodies, leading to investigations and restrictions. In this article we will explore these concerns, as well as the underlying reasons for them and their relevance to reality.
Creation of DeepSeek
Launched in early 2025 by Chinese AI companies Hangzhou DeepSeek Artificial Intelligence and Beijing DeepSeek Artificial Intelligence, DeepSeek was designed to compete with leading AI chatbots such as OpenAI’s ChatGPT. Offering advanced natural language processing capabilities, DeepSeek quickly amassed a substantial user base worldwide. In particular, by the end of January 2025, it had 33.7 million monthly active users globally making it the 4th most popular AI application in the world. One of the main reasons DeepSeek has managed to attract attention is that, being an advanced AI system, it is available to users for free. Meanwhile, other powerful systems require a paid subscription with only limited free versions.
Immediate concerns after the release
Despite its technological advances, DeepSeek’s privacy practices have come under intense scrutiny. Users and experts have raised concerns about allowing sensitive data to be transmitted over unencrypted channels, exposing user information to potential breaches. Shortly after DeepSeek released its AI model, Wiz Research uncovered significant security vulnerabilities due to an exposed database. This misconfiguration left over a million sensitive records accessible online, including user chat histories, API keys and internal system logs, posing significant risks and allowing unauthorised parties to exploit the data for malicious purposes. In addition, DeepSeek’s AI models were found to be highly susceptible to manipulation, making them vulnerable to the generation of harmful content.
Users also noted that the model’s political views were a little stilted. For instance, it refrains from giving an answer when asked about Tiananmen Square. Being a Chinese company, DeepSeek is subject to benchmarking by China’s internet regulator to ensure that its models reflect core socialist values.
Data privacy issues: data storage and surveillance
Apart from the above-mentioned concerns, questions were raised on the app’s handling of personal data, particularly regarding transparency and potential data transfers to China. In this regard, DeepSeek explicitly states that it sends user data to servers located in China, making it subject to Chinese data laws.
Although all companies must comply with legal requirements, those operating in China have particularly significant obligations. Over the past ten years, Chinese authorities have enacted various cybersecurity and privacy laws that grant the government the power to request data from technology firms. A law introduced in 2017, for example, states that organisations and individuals are expected to “collaborate with national intelligence efforts”. This means that DeepSeek has no choice but to comply if the Chinese government wants to access user data or manipulate AI-generated responses.
Due to these data privacy concerns, several governments and organisations have restricted or banned the use of DeepSeek chatbot. For instance, the U.S. Department of Defense blocked access to DeepSeek on its networks, and many companies have followed suit to prevent potential data leaks.
Compliance with EU data protection regulations
Considering these concerns, data protection bodies of Italy, France and Ireland have launched investigations into how the DeepSeek collects, stores, and processes user data.
In January 2025, the Italian Data Protection Authority (Garante) ordered DeepSeek to cease processing data of Italian users due to violations of privacy laws. The authority criticised DeepSeek for failing to provide adequate information about its data collection practices, including the sources of personal data, training datasets, purposes of processing, legal bases, and storage locations.
After DeepSeek failed to address Garante’s concerns, the Garante issued a restraining order to block the Italian access to the chatbot. Despite DeepSeek’s assertion that it did not operate within Italy and was not subject to local regulations, it announced the removal of its AI assistant from Italian app stores.
It is essential to note that these issues are not exclusive to DeepSeek: other AI systems have faced similar criticisms. For instance, OpenAI’s ChatGPT was fined by the Italian data protection body for non-compliance with General Data Protection Regulations (GDPR), which highlights the broader challenges that AI applications face in meeting relevant strict regulations.
Conclusion
The DeepSeek case illustrates the complex interplay between technological innovation and data protection requirements. As AI applications become increasingly integrated into everyday life, ensuring their compliance with data protection regulations is paramount. Regulatory bodies worldwide are increasing their scrutiny of AI systems to protect user privacy and uphold data protection standards. For AI developers, it is necessary to take a proactive approach and incorporate robust privacy measures into their technology to foster user trust and comply with regulatory requirements in this evolving landscape.
Gohar Simonyan
M2 Cyberjustice – Promotion 2024/2025
Sources:
photo: Leonardo AI
https://backlinko.com/deepseek-stats?utm_source=chatgpt.com
https://www.wiz.io/blog/wiz-research-uncovers-exposed-deepseek-database-leak
https://www.wired.com/story/deepseek-ai-china-privacy-data/?utm_source=chatgpt.com
https://proton.me/blog/deepseek?utm_source=chatgpt.com
https://www.carriermanagement.com/news/2025/02/02/271338.htm?utm_source=chatgpt.com
https://krebsonsecurity.com/2025/02/experts-flag-security-privacy-risks-in-deepseek-ai-app/
