Both Ireland and Italy have taken bold steps to address concerns regarding the data processing practices of DeepSeek, a Chinese AI chatbot that has gained rapid popularity. The app, which has been compared to OpenAI’s ChatGPT, has raised alarms among European regulators due to its potential implications for user data privacy and national security.
DeepSeek’s rise and regulatory scrutiny
DeepSeek has quickly become one of the most downloaded free apps in the Apple App Store in the United States and the United Kingdom, largely due to its competitive performance at a lower cost compared to established AI platforms. However, its rapid ascent has not come without controversy. Following its launch, concerns emerged regarding how the app collects and utilizes personal data, particularly in light of China’s national intelligence laws, which mandate that companies assist in state intelligence efforts if required.
In Italy, the Garante, the national data protection authority, has taken a proactive stance by blocking DeepSeek from several app stores. Users in Italy reported that the app was marked as “currently not available in the country or area you are in” on Apple devices, while Google Play indicated that the download “was not supported”.
Concerns over DeepSeek’s open source nature
Chester Wisniewski, director and global field CTO, Sophos, stated to Economy Middle East, “DeepSeek’s ‘open source’ nature opens it up for exploration – by both adversaries and enthusiasts. Like llama, it can be played with and largely have the guardrails removed. This could lead to abuse by cybercriminals, although it’s important to note that running DeepSeek still requires far more resources than the average cybercriminal has.”
The Italian regulator has demanded that DeepSeek provide detailed information about the types of personal data it collects, the sources of this data, the purposes for which it is used, and whether this data is stored in China. The Garante has given DeepSeek a 20-day deadline to respond to these inquiries, emphasizing the need for compliance with the General Data Protection Regulation (GDPR).
“More pressing for companies, however, is that, due to its cost effectiveness, we are likely to see various products and companies adopt DeepSeek, which potentially carries significant privacy risks. As with any other AI model, it will be critical for companies to make a thorough risk assessment, which extends to any products and suppliers that may incorporate DeepSeek or any future LLM. They also need to be certain they have the right expertise to make an informed decision,” Wisniewski further noted.
Read more: DeepSeek surpasses ChatGPT as top app in App Store, Google Play
Irish regulator questions DeepSeek’s data practices
Simultaneously, the Irish Data Protection Commission has also expressed concerns regarding DeepSeek’s data processing practices. The Commission has reached out to the company to request information about how it handles data related to Irish citizens. This inquiry aligns with the broader European effort to ensure that companies operating within the EU adhere to stringent data protection standards.
The Irish regulator’s involvement is particularly noteworthy given Ireland’s status as a hub for many tech companies, including several major players in the AI sector. The scrutiny from both Italian and Irish authorities reflects a growing trend among European nations to rigorously evaluate the data practices of foreign tech companies, especially those based in jurisdictions with less stringent data protection laws.
Rob T. Lee, chief of Research, SANS Institute, remarked to Economy Middle East, “DeepSeek’s approach to data privacy is a problem. Unlike OpenAI – which, while imperfect, has a stronger commitment to privacy and anonymization – DeepSeek collects and indefinitely stores massive amounts of user data in China, without clear anonymization measures. That’s a significant risk, not just from a security standpoint but in terms of potential data misuse, regulatory concerns, and overall trust in AI systems.”
Implications for users and companies
The actions taken by Italy and Ireland highlight the increasing vigilance of European regulators in protecting citizens’ data privacy. As DeepSeek continues to operate in a landscape fraught with regulatory challenges, users are left to ponder the implications of using an app that may not fully comply with EU data protection standards. The Italian Garante has indicated that it will conduct an in-depth investigation to determine whether DeepSeek’s practices align with GDPR requirements, which could have significant repercussions for the app’s future in Europe.
Moreover, the situation raises broader questions about the responsibilities of tech companies in safeguarding user data and the potential risks associated with using AI technologies developed in countries with different regulatory frameworks. As the debate over data privacy intensifies, both users and regulators will need to navigate the complexities of emerging technologies and their implications for personal data security.
