Italy's data protection authority, known as the Garante, has taken decisive action against the Chinese artificial intelligence startup DeepSeek. On Thursday, the Garante ordered the company to block its chatbot in Italy. This move follows DeepSeek's failure to address serious concerns about its privacy policy, raising alarm over the handling of personal data.
The Garante’s primary focus is on protecting the personal data of Italian users, ensuring their information is managed responsibly and transparently. This incident highlights the growing scrutiny facing AI technologies across Europe, particularly concerning data protection and privacy regulations.
The Garante has raised several questions surrounding DeepSeek's use of personal data. They sought clarity on the types of personal data collected, its sources, the purposes of usage, and the legal basis for its collection. There were significant concerns about whether the data is stored in China, where privacy regulations differ greatly from those in Europe. According to Garante board member Agostino Ghiglia, the information provided by DeepSeek was "totally insufficient," heightening fears about the company's data management practices.
Despite the alarm, DeepSeek's chatbot gained significant popularity, even surpassing ChatGPT as the top-rated free application on Apple’s App Store in the United States. This rapid rise has not escaped the scrutiny of regulatory bodies, leading to the Garante’s firm action against the app. The authority emphasized citizens' right to be informed about how their data is used and stored, reflecting its commitment to uphold these rights amid increasing adoption of AI technologies.
Following the Garante's order, the chatbot was blocked immediately, and investigations were launched to assess the company’s data practices. Ghiglia noted with disappointment DeepSeek’s lack of cooperation, expressing doubts about the re-assurances of the company's data handling. "Without cooperation from DeepSeek, the company would remain blocked in Italy," he emphasized.
Reports indicated some users, who downloaded the app prior to the ban, were still able to operate it, raising questions about the enforcement of the Garante’s orders and the broader challenges of ensuring compliance with data protection regulations.
The Garante’s actions are reflective of wider scrutiny of DeepSeek by data regulators across Europe, including organizations situated in Ireland, France, Belgium, and the Netherlands. Their inquiries target whether DeepSeek’s data collection practices violate the EU’s General Data Protection Regulation (GDPR) by transferring personal data to China.
DeepSeek initially launched its chatbot, called R1, in January, claiming it operates with less energy and at lower costs than OpenAI’s ChatGPT. Yet, serious data privacy concerns quickly arose. The company disclosed three types of data it collects from users: directly provided information like names and emails; automatically collected data, such as IP addresses; and information gathered from other sources like Google or Apple logins. Users should be aware their data may be stored "for as long as possible" and used for various purposes, including sharing with third parties such as advertisers and law enforcement.
Calling attention to data security, David Erdos, co-director of the Centre for Intellectual Property and Information Law at the University of Cambridge, voiced concern over the lack of guarantees for EU app users. “We don’t have any provision of adequately equivalent data protection,” Erdos commented, stressing the serious implication of these practices.
Compounding worries, DeepSeek reportedly stores much of its data on Chinese servers. While the company states it employs "commercially reasonable technical, administrative, and physical security measures" for data protection, skepticism remains high. Erdos underscored the absence of any legal justification which would allow personal data to be stored and processed outside the EU, citing fundamental differences between Chinese and European data protection laws.
Reflecting broader sentiments, the European Data Protection Board (EDPB) earlier found the basis for Chinese privacy law prioritizes "community stability" over individual rights, raising questions about how users’ data are treated abroad.
Concerns extend to the app’s vulnerability to cyber attacks, as evidenced by findings from technology company Cisco, which reported DeepSeek was unable to block many types of cybersecurity breaches, unlike its competitors. Their analysis characterized DeepSeek R1 as lacking sufficient safeguards, making it more susceptible to misuse.
For those who still want to use the app, Erdos cautioned against disclosing sensitive personal information, stating, “People have got to make their judgement as to whether they’re engaging with the service [while] it isn’t necessarily giving people the rights which they would expect.”
With the Garante's firm stance and the peer scrutiny from regulators across Europe, DeepSeek's future remains uncertain as the company navigates complex data privacy laws. The increasing emphasis on data protection signifies growing awareness and demand for accountability among AI service providers.