EU Blocks Chinese AI App DeepSeek Over GDPR Compliance Concerns
Image Credit: Joshua Fuller | Splash
The European Union (EU) has reinforced its data protection framework by taking action against the Chinese artificial intelligence application, DeepSeek, citing concerns over its data processing practices and non-compliance with the General Data Protection Regulation (GDPR). The move underscores the EU’s firm stance on AI-driven data processing and privacy protections across its member states.
[Read More: DeepSeek’s 10x AI Efficiency: What’s the Real Story?]
DeepSeek’s Background and Market Presence
DeepSeek is an AI-powered chatbot developed in China, offering capabilities similar to OpenAI’s ChatGPT and Google’s Gemini. The application has gained significant traction worldwide, including within the EU, where users can access it through mobile downloads and a web-based version. Despite its absence of physical offices or an official corporate presence in the EU, the app’s widespread use has triggered regulatory scrutiny.
EU’s Justification for Blocking DeepSeek
The primary reason for the EU’s enforcement action was DeepSeek’s inadequate response to requests for transparency regarding its data processing activities. Specifically, the company failed to clarify the scope of personal data collection, its sources, the purposes of processing, legal justifications, and data storage locations. Under the GDPR, such transparency is a fundamental requirement for AI-driven services handling personal data within the European Union.
[Read More: DeepSeek AI Faces Security and Privacy Backlash Amid OpenAI Data Theft Allegations]
GDPR’s Territorial Scope and Its Impact on AI Applications
A central legal question in the DeepSeek case is whether the GDPR applies to a company with no formal presence in the EU. According to Article 3(2) of the GDPR, the regulation extends to companies based outside the EU if they:
Offer goods or services to individuals in the EU, regardless of whether payment is required.
Monitor the behaviour of individuals within the EU.
Given DeepSeek’s significant user base within the EU and its provision of AI-powered services accessible to European residents, it was determined that the company falls under GDPR jurisdiction. DeepSeek’s claim that it does not “operate” in the EU was thus insufficient to exempt it from compliance obligations.
[Read More: Italy Bans DeepSeek AI: First Nation to Block China’s AI Over Privacy Issues]
AI, Data Collection, and Privacy Risks Under GDPR
One of the primary concerns regulators have with AI applications like DeepSeek is how they handle user data. AI-powered chatbots process vast amounts of personal and behavioral data to improve responses and optimize interactions. However, the lack of clarity surrounding DeepSeek’s data collection, storage, and potential sharing practices has raised alarms among European regulators.
Article 12(1) of the GDPR mandates that data controllers provide information to data subjects in a manner that is concise, transparent, intelligible, and easily accessible. Key privacy risks in AI-driven applications under GDPR include:
Lack of Transparency – Users may not be fully aware of what personal information is collected, how it is stored, or whether it is shared with third parties.
Cross-Border Data Transfers – AI applications developed in countries with different privacy standards may transfer EU user data outside GDPR-compliant jurisdictions, creating regulatory concerns.
Automated Decision-Making and Profiling – Many AI applications analyze user behaviour, which can lead to profiling and automated decisions that may impact users’ rights.
DeepSeek’s Response and the Implications of the Ban
DeepSeek responded to the EU’s inquiry by claiming that it does not operate in the region and is therefore not subject to European data protection laws. However, this argument was deemed insufficient, as accessibility and significant user engagement within the EU establish regulatory jurisdiction under the GDPR.
Following enforcement action, Italy’s data protection authority has ordered the blocking of DeepSeek’s services within the country due to concerns over data privacy compliance. While reports suggest that some users in Italy may still access the service, the move signals the EU’s firm stance on enforcing privacy regulations.
The Legal Interpretation of 'Operate' Under GDPR
The concept of 'operating' in a jurisdiction is a critical legal issue when determining the applicability of data protection laws such as the GDPR. Traditionally, operation within a country implied a physical presence, such as offices, staff, or business registrations. However, under modern digital regulations, particularly GDPR Article 3(2), operation is interpreted more broadly. Even without a formal establishment in the EU, a company may still be deemed to operate there if it intentionally targets EU users, processes their data, or provides services that inherently involve data collection from EU residents. This broad interpretation ensures that companies engaging with EU citizens cannot evade regulatory scrutiny simply by lacking a physical footprint.
License This Article
Source: Reuters, EU Official Website, The Wall Street Journal
