DeepSeek, a Chinese artificial intelligence startup, has announced the temporary halting of its service within South Korea due to significant concerns over user data privacy. Following internal analyses by the South Korean government, it was determined the user data collected by DeepSeek was being transmitted to ByteDance, the parent company of TikTok. This alarming finding prompted the South Korean Personal Information Protection Commission (PIPC) to intervene, leading to the suspension of DeepSeek’s services.
Effective February 15, 2025, the PIPC mandated this suspension to allow DeepSeek time to improve its compliance with the country’s Personal Information Protection Act. The commission confirmed the company’s plans to resume service once it resolves identified deficiencies. Currently, the DeepSeek app is no longer available on major app marketplaces such as Google Play or the Apple App Store. Nevertheless, users who had previously downloaded the mobile app can still access the service, alongside PC users.
This drastic measure came after the PIPC recommended suspending the service as they uncovered risks related to personal data protections. While the commission could not yet conclude whether the data being sent to ByteDance was personal, it advised caution and suggested it could take DeepSeek considerable time to implement necessary privacy improvements.
The emergence of DeepSeek as a competitor on par with other leading AI firms, including those based in the U.S., had raised eyebrows earlier. Critics voiced concerns about the startup's data collection practices, suspecting the indiscriminate harvesting of personal information to bolster training data reserves. These worries were compounded when several South Korean government departments, including the Ministry of Science and ICT and the Ministry of Health and Welfare, began enforcing restrictions on DeepSeek’s access within their internal networks starting on February 4, 2025.
During this time, the PIPC had sent out questionnaires to DeepSeek’s headquarters, aiming to clarify its data acquisition and processing methodologies. DeepSeek's formal reply came on February 14, acknowledging shortcomings and pledging to align more closely with South Korean privacy standards moving forward. Notably, they revised their privacy policies to exclude the collection of user keyboard input patterns and rhythms. Unfortunately, they also removed the previously available “opt out” clause, limiting users’ choices over data collection.
The PIPC emphasized it would monitor DeepSeek throughout its service suspension, ensuring compliance with the Personal Information Protection Act. Concurrently, the commission plans to develop comprehensive guidelines concerning data privacy for other AI developers planning to enter the South Korean market. These guidelines aim to provide necessary clarity over acceptable data handling practices and will be announced alongside results from the inspection of DeepSeek’s privacy improvements.
Nam Seok, the director of the PIPC’s investigations division, warned users who already downloaded DeepSeek to refrain from entering any personal information until the PIPC issues its final announcements concerning privacy protections. Seok stressed the necessity of caution moving forward, saying, “We plan to draft policies for the collection, storage, and processing of user data harvested during our inspections.”
This situation raises substantial questions about data privacy regulations and the operational frameworks for AI startups seeking to penetrate foreign markets. The South Korean government is now partially responding to public sentiment demanding greater transparency and security around personal data, especially as incidents of data mishandling have become all too common globally.
Going forward, how other AI developers respond to this growing scrutiny remains to be seen, but the case of DeepSeek certainly highlights the urgent need for clear data protection measures. With technology advancing rapidly, it becomes ever more important to align such innovations with the framework of existing regulatory practices to protect user privacy effectively.