privacy

The "DeepSeek" Case and the Risks to Personal Data

Artificial intelligence and big data

On the 29th of January 2025, the Italian Data Protection Authority (Garante per la protezione dei dati personali) launched an investigation into DeepSeek, an artificial intelligence-based chatbot developed by the Chinese companies Hangzhou DeepSeek Artificial Intelligence and Beijing DeepSeek Artificial Intelligence. Just two days later, the Authority ordered the restriction of data processing for all users located within the national territory.

DeepSeek, designed to understand and process human conversations, was recently introduced to the global market, where it quickly reached millions of downloads, including a large number of Italian users. Its rapid and widespread diffusion raised serious concerns about the protection of personal data and the transparency of data processing practices.

The investigation began with a formal request for information sent to the developing companies, in which the Authority asked for clarification on:  

  • What categories of personal data were being collected;  
  • The sources of such data (e.g., social media profiles or web scraping techniques);  
  • The purposes and legal bases for data processing;  
  • The location of the servers and whether data was being transferred to countries not compliant with the GDPR, such as China;  
  • The ways in which both registered and unregistered users were informed about the processing of their personal data.

The Authority deemed it necessary to intervene due to the high number of downloads in Italy in a very short period, posing significant risks to the security and confidentiality of the information shared by users through the chatbot.

The responses received from DeepSeek were deemed inadequate and failed to provide any concrete reassurance. Notably, the company claimed not to operate in Italy and to be outside the scope of EU data protection laws—an assertion that directly contradicted the findings of the preliminary investigation.

In light of this lack of cooperation and the tangible risk to the rights and fundamental freedoms of Italian users, the Authority adopted an urgent measure: the immediate prohibition of personal data processing by DeepSeek within the national territory. This restriction will remain in place until all identified concerns are fully addressed.

At the same time, the Authority will continue with a thorough investigation to assess the platform's compliance with EU data protection regulations and evaluate the impact of DeepSeek’s practices on the fundamental rights of individuals.

This decision—unprecedented on a global scale—marks a decisive step toward a more rigorous and ethical regulation of artificial intelligence. The measure not only safeguards Italian users but also sends a strong message to non-EU companies: anyone wishing to operate within the EU market must fully comply with the principles of legality, transparency, and accountability.

 

Yearbook

2025

Links

Keywords

privacy artificial intelligence (AI) Italy monitoring