Skip to content

EU regulators scrutinize DeepSeek for data privacy violations

Chinese AI company DeepSeek has caused a stir with its R1 model. EU regulators are also paying attention and expressing concern over the app’s collection and use of EU residents’ personal data. We look at why data protection authorities are investigating and what action they’re taking.
Resources / Blog / EU regulators scrutinize DeepSeek for data privacy violations
Published by Usercentrics
6 mins to read
Feb 19, 2025

In January 2025, Chinese AI company DeepSeek (full name: Hangzhou DeepSeek Artificial Intelligence Basic Technology Research Co., Ltd.) caused a furor in tech circles and beyond when it released its R1 model. The news even affected the stock price of tech company Nvidia, which is a major US-based supplier of AI hardware and software. 

R1 purportedly performs comparably — particularly in speed and efficiency — to other large language models. The most well-known of these come from American tech companies like OpenAI (ChatGPT) in which Microsoft has a significant investment, Meta (LLaMa), and Google (Gemini). 

What garnered a lot of attention was DeepSeek’s claims that developing and training R1 was significantly cheaper and required a lot less computing power than the other companies’ models: USD 6 million compared to USD 100 million for OpenAI’s GPT-4, and about one-tenth the computing power required by Meta’s LLaMa.

However, DeepSeek has also caught the attention of EU regulators, with scrutiny, complaints, and a ban of R1 already being put in place. We look at EU data protection authorities’ privacy concerns over R1, specific alleged violations and actions being taken, and what the future may hold for AI companies and their products, especially in the EU.

What are EU data protection authorities’ concerns about DeepSeek?

According to a press release from Garante, DeepSeek has claimed that EU data privacy laws like the GDPR do not apply to the company, which is based in China. Regulators like Italy’s Garante have questioned this, claiming that DeepSeek’s operations clearly involve the processing of personal data of EU residents, thus making the GDPR and its extraterritorial scope applicable. Other laws like the AI Act are also relevant.

If DeepSeek ignores EU regulatory requirements, EU residents’ personal data may be collected and processed without individuals’ knowledge or consent. The purposes for the processing, sharing with third parties, and international transfers of that data would also be performed without a valid legal basis under EU law. 

EU residents’ rights would additionally be violated in that they would have no ability to decline access to their personal data, to have processing stopped, or have their data deleted.

Let’s look at how EU regulators have responded.

EU data protection authorities react to DeepSeek

Several data protection authorities (DPA) in EU member states have weighed in over the last several weeks, and more may take action in the future — potentially as a bloc — as more information comes to light.

Italy’s Garante orders DeepSeek-R1 blocked

Italian DPA Garante ordered DeepSeek to block Italian access to R1, so the app will not be available in Italian app stores. Users employing VPNs can still access it, however. This order came after DeepSeek failed to address Garante’s concerns over its privacy policy, which makes no mention of the GDPR. Garante also received consumer complaints regarding DeekSeek.

Garante sought information from DeepSeek about what personal data R1 collects, from which sources, for what purposes, under what legal basis, and if the data is stored in China. The information DeepSeek provided was “considered totally insufficient”, leading to the order to block the app.

After levying the ban, Garante gave DeepSeek 20 days to provide details on how they process and store European users’ data.

Belgium and Portugal’s data protection authorities receive complaints about DeepSeek

Several days after Garante ordered R1 blocked at the end of January, the Belgian data protection authority (DPA) confirmed that it had received a complaint about DeepSeek, though it declined to provide any additional details at that time.

The complaint was registered by consumer organization Testaankoop. Their sister organization in Portugal, Deco Proteste, also filed a complaint about DeepSeek with the Comissão Nacional de Protecção de Dados (CNPD), the Portuguese data protection authority.

Other EU privacy regulators seek answers from DeepSeek

Around the same time that complaint to the Belgian DPA was confirmed, Luxembourg’s National Data Protection Commission (CNPD) commented that it had not yet received any complaints, but that they were aware of risks and may further examine DeepSeek’s access to and processing of EU residents’ personal data in conjunction with other DPAs across Europe.

Germany’s regional DPAs have already begun discussing next steps regarding DeepSeek as well.

France’s Commission nationale de l’informatique et des libertés (CNIL) has confirmed that it’s requesting additional information from DeepSeek, and that it is analyzing R1’s functionality.

Ireland’s Data Protection Commission also requested information from DeepSeek about collection and processing of Irish residents’ personal data. 

Of note is that Ireland’s Data Protection Commission is often the lead EU regulator for many large US tech companies due to the location of their EU operations in Ireland. However, none of DeepSeek’s parent companies has set up EU headquarters or other legal presence — in Ireland or elsewhere in the EU.

The European Commission’s reaction to DeepSeek

The European Commission’s deputy director-general of the justice directorate, Irena Moozová, has stated that the Commission is examining whether DeepSeek has violated any EU laws. Additionally, digital affairs spokesperson Thomas Regnier has noted that, “the AI Act ensures services operating in the EU must comply with European regulations.”

Brando Benifei, a Member of European Parliament and a key figure behind the AI Act, has also stressed the importance of transparency in developing AI, noting “Europe must remain competitive while enforcing its human-centric, rights-based approach to AI, setting a global standard for ethical and transparent innovation”.

How DeepSeek and its parent companies respond remains to be seen.

What’s next for EU data privacy regulators and DeepSeek?

Investigations by EU DPAs will continue, and involvement by additional EU data protection authorities is likely, up to and including further bans. 

Outside of Europe, DeepSeek has already been banned on some Canadian government mobile devices, echoing a prior ruling against another Chinese app, ByteDance’s popular TikTok.

DeepSeek’s failure to address regulators’ questions and concerns, along with the company’s lack of EU operations or legal presence, also creates further questions and complexities. It remains to be seen if the company will comply with demands to block the app from EU user access, or comply with future rulings against it and pay any fines that might be levied.

In 2023 OpenAI’s ChatGPT was temporarily banned in Italy and later fined EUR 15 million for privacy violations. That company is based in the US and does have an EU presence headquartered in Dublin.

DeepSeek was also a popular topic of conversation at the Artificial Intelligence Action Summit in Paris the week of February 10, 2025. The topic of AI more broadly has already proven to be contentious at the event, with the UK and US refusing to sign an international agreement on AI that pledges an open, inclusive, and ethical approach to developing the technology. 

This comes just days after Google ended a company ban on using AI to develop weapons and surveillance tools.

How Usercentrics helps

EU regulators have stressed the importance of transparency where processing of individuals’ personal data is concerned. Complaints and actions to date have also centered around violations of data subjects’ rights under EU law.

Usercentrics believes that privacy is a human right, and our products, like Usercentrics CMP, enable organizations to be transparent with their audiences about the data they collect and how they use it. The CMP also enables users to exercise their rights around consent and data use.

Increasingly, individuals are able to vote with their wallets — and their data — which is backed by more and more regulations codifying the right to data portability. Companies that embrace Privacy-Led Marketing can focus on building trust and long-term relationships, rather than pursuing what they can get away with regarding collection and processing of personal data.

Usercentrics’s products enable privacy compliance and transparency, and help deliver great user experience to help you build that trust and sustainably grow your business.

Start trial

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Article
Mar 14, 2025
As part of ongoing initiatives and their 2025 online strategy, the ICO is reviewing the cookie compliance of the top 1000 websites in the UK and giving noncompliant operators 30 days to comply with regulatory requirements. We look at noncompliant tracking, consent requirements, and more.
Read more
Article
Mar 5, 2025
Under a controversial law, the UK government demanded that Apple provide access to currently encrypted files and user data stored in Apple’s cloud servers. The action would give the UK government access to worldwide user data, however, not just Apple users in the UK.
Read more
Article
Feb 27, 2025
A login option on a conference website the European Commission managed made it possible for personal data to be transferred to the United States without authorization or adequate security measures. We look at the complaint, how the violation happened, and how it was resolved.
Read more