Italy’s data protection authority, Garante, has blocked the Chinese AI application DeepSeek due to concerns over its handling of user data. The regulator initiated an investigation after the startup failed to provide satisfactory responses regarding its privacy policy. DeepSeek’s parent companies, Hangzhou DeepSeek Artificial Intelligence and Beijing DeepSeek Artificial Intelligence, are required to clarify their compliance with the EU’s GDPR, including details on data collection, storage, and usage.
DeepSeek says they are not subject to EU regulations
The Italian data protection authority issued its order on January 31, 2025, aiming to protect local users’ data privacy. In a statement, the Garante expressed dissatisfaction with DeepSeek’s insufficient explanations regarding the type of personal data collected and its storage location. Despite asserting that they do not operate under Italian jurisdiction, authorities highlighted that DeepSeek had rapidly gained popularity, amassing millions of downloads globally within a few days.
In response to Garante’s inquiries, the Chinese companies claimed they are not subject to EU regulations and thus not obliged to meet legal obligations. Agostino Ghiglia, a board member of the Garante, noted that DeepSeek’s lack of cooperation hindered the discussions. The authority found their claims that European laws did not apply to them troubling, leading to the immediate blockade of their chatbot services in Italy.
Garante’s order has significant implications, particularly as it has also prompted similar reviews from data regulators in Ireland and Belgium. Both countries have begun probing DeepSeek’s data handling practices, indicating that these concerns may be spreading throughout the European Union. The Garante demanded that the companies provide detailed information about their compliance with GDPR within 20 days.
Currently, the DeepSeek chatbot is unavailable in Italian app stores, though some users who previously downloaded the application report still receiving responses from the bot. This suggests a lingering availability through existing installations or potential bypasses using virtual private networks, which raises further concerns about local enforcement.
OpenAI had a €15 million fine in previous action
Italy’s Garante has been proactive among the 31 data protection authorities in Europe regarding the use of artificial intelligence technologies. Just two years prior, the authority temporarily banned OpenAI’s ChatGPT over suspected privacy breaches. The previous action resulted in significant scrutiny and a fine of €15 million against OpenAI.
The current situation with DeepSeek reflects ongoing tensions between European regulators and non-EU tech companies, particularly those based in jurisdictions with different data protection standards. “Citizens have the right to give their consent based on what you do, or do not do, with their data,” Ghiglia stated, emphasizing the incompatibility of Chinese server guarantees with EU expectations.
Recently, DeepSeek had a breach exposing over a million lines of log streams including chat history, secret keys, backend details, and other critical information. There were API secrets and operational metadata found in thebreach and DeepSeek has since fixed the security vulnerability.
Also, regulators responsible for data in Ireland and France are currently investigating DeepSeek’s chatbot privacy policy.
