Ireland and Italy Investigate Deepseek Data Breach

The Status of DeepSeek: Scrutiny from Data Protection Authorities

The question of whether DeepSeek, a relatively new Chinese AI company, represents a genuine breakthrough or a calculated maneuver by its parent hedge fund remains open for debate. Speculation suggests a potential strategy to influence stock values of companies like Nvidia. Regardless of its true nature, DeepSeek’s large language model has garnered significant attention, and is now attracting the focus of data protection agencies.

Investigations Initiated by European Regulators

The Irish Data Protection Commission has officially confirmed that it has requested information from DeepSeek regarding its processing of data belonging to Irish citizens. A spokesperson for the DPC stated that a formal request for details on data processing practices has been issued. Further details were not disclosed.

This action follows a similar request made less than 24 hours prior by Italy’s data protection authority. Currently, DeepSeek has not issued a public response to either inquiry. Notably, the company’s mobile application is no longer available on app stores in Italy, both Google’s and Apple’s.

Concerns Regarding GDPR Compliance

The Italian action marks the first substantial response from a regulatory body since DeepSeek gained widespread visibility. Euroconsumers, a collective of European consumer groups, filed a complaint with the Italian Data Protection Authority, centering on concerns about DeepSeek’s handling of personal data in relation to the General Data Protection Regulation (GDPR).

The Italian DPA has confirmed its request for information from DeepSeek, expressing concerns that “the data of millions of Italians is at risk.” DeepSeek has a 20-day timeframe to provide a comprehensive response.

Data Location and Transfer to China

A key aspect of DeepSeek that has drawn attention is its origin and operational base in China. According to its privacy policy, all collected and stored information, including data, is also housed within China.

The policy also acknowledges that when transferring data from other countries to China, DeepSeek adheres to “the requirements of applicable data protection laws.”

Detailed Information Requests from the Italian DPA

Euroconsumers, having previously achieved a successful outcome against Grok regarding data usage for AI training, and the Italian DPA are seeking more detailed information. The Italian DPA is requesting specifics on the types of personal data collected, the sources of that data, and the purposes for which it is used – including its application in training the AI system.

The authority is also seeking clarification on the legal justification for this data processing, as well as further details regarding the servers located in China. Additionally, the request extends to data collection through web scraping, inquiring about how both registered and unregistered users are informed about their data processing.

Protection of Minors and Potential Copyright Issues

MLex reports that Euroconsumers has also raised concerns about the lack of provisions for protecting minors on the service. This includes the absence of age verification measures and protocols for handling minors’ data.

DeepSeek’s policy states it is not intended for users under 18, but lacks enforcement mechanisms. It suggests users aged 14-18 review the privacy policy with an adult.

European Commission Response and Future Scrutiny

DeepSeek was a central topic during a press conference at the European Commission. When questioned about potential security, privacy, and censorship concerns, Thomas Regnier, Commission spokesperson for Tech Sovereignty, indicated it was premature to comment on any investigations.

Regnier affirmed that services operating in Europe must comply with existing regulations, specifically mentioning the applicability of the AI Act. He refrained from stating whether DeepSeek currently meets these standards.

Regarding potential censorship of politically sensitive topics in China, Regnier stated, “These are very early stages, I’m not talking about an investigation yet,” but emphasized the framework’s capacity to address potential issues.

UK ICO and Broader Regulatory Considerations

The Information Commissioner’s Office (ICO) in the U.K. provided a similar response, stating DeepSeek will be subject to the same scrutiny as other GenAI developers, but no immediate actions are planned.

A spokesperson for the ICO emphasized the need for clear and accessible information regarding personal data usage and effective mechanisms for exercising data rights. They affirmed the ICO’s commitment to taking action when regulatory expectations are not met.

Questions Regarding Copyright and Training Data

Further regulatory questions may arise concerning copyright and intellectual property protection. The emergence of DeepSeek challenges conventional assumptions about the costs associated with training and operating large language models.

Its comparatively inexpensive infrastructure raises questions about the financial burdens traditionally linked to building foundational AI and running generative AI applications. However, recent claims suggest DeepSeek may have been partially trained on “distillations” from models developed by Microsoft and OpenAI, potentially raising intellectual property concerns.

We have reached out to DeepSeek for comment regarding the Italian DPA complaint and will provide updates as more information becomes available. Currently, DeepSeek’s apps have been removed from major Italian app stores, but remain accessible online within the country.

Updated with further detail on regulatory responses, legal issues, and status of the service in Italy.