© GDPR EU 2025. All rights reserved.
DeepSeek AI faces intense scrutiny in Europe after Italy’s data protection authority, the Garante, questioned its data practices. Several EU regulators are taking note, and this has sparked discussions on how personal information is handled by AI models.
DeepSeek AI faces intense scrutiny in Europe after Italy’s data protection authority, the Garante, questioned its data practices. Several EU regulators are taking note, and this has sparked discussions on how personal information is handled by AI models.
The General Data Protection Regulation (GDPR) is designed to protect the privacy of individuals in the European Union. It applies to any business offering services in the EU, regardless of its base of operations. When companies process large sets of user data, regulators want evidence of responsible data handling.
Data protection authorities have made it clear that providers must be open about what they collect, how they store it, and why they need it. These rules are in place to protect you and your personal details from misuse. When a firm shows signs of ignoring core parts of the GDPR, investigators respond quickly.
Table of Contents
DeepSeek AI is a suite of large language models (LLMs) backed by companies in Hangzhou and Beijing. Its AI assistant offers text-based services for summarising, drafting, and interacting with users, similar to ChatGPT. These tools have grown in popularity because they often run quickly and cost less to operate compared with many Western rivals.
Their market presence has grown to challenge established names such as OpenAI, Google, and Meta. Investors have paid close attention to DeepSeek because it disrupted what was once a crowded field of US tech giants. Its reported speed and accuracy prompted downloads from users in Europe. That expansion has now led to a deeper look at privacy and data protection obligations.
EU regulators are not against innovation. Many support AI development. But they also point out that compliance with local laws is essential. If DeepSeek is collecting personal data from Europe, it must follow GDPR rules, which include transparency and a legal basis for data processing.
Italy’s Garante launched its probe when DeepSeek’s privacy policy raised red flags. Officials demanded a clear explanation of data handling procedures, including details on where information is stored, who has access, and the lawfulness of these practices. DeepSeek was given 20 days to respond, but the regulator found the reply lacking in substance.
Regulators in Belgium, France, and Ireland are also looking at DeepSeek. A Belgian consumer group filed a complaint questioning how user data might be transferred to servers in China. Meanwhile, officials at the European Commission confirmed they are examining if DeepSeek’s data processing meets EU norms.
Authorities worry that DeepSeek’s privacy policy barely references GDPR. Experts in data law, such as Professor Theodore Christakis of the University of Grenoble, argue that companies handling EU user data must acknowledge GDPR and actively meet its requirements. In this case, the lack of clarity prompts suspicions of broader non-compliance.
Commission officials have also stated that the AI Act, once fully enforced, will enhance the obligations for AI providers. This Act aims to regulate riskier AI applications, with provisions on transparency and accountability. DeepSeek’s situation gives regulators a real-life scenario to see how future rules might address global providers.
GDPR sets strong standards around data collection, retention, and usage. It requires clear user consent or another legitimate basis for processing personal details. Companies must also provide a plain-language policy explaining how they work with data.
One major concern is DeepSeek’s links to servers in China. Under EU law, personal data can only be sent to third countries if those countries offer adequate protection or if specific contractual measures are in place. China has no adequacy decision from the EU, and its surveillance systems raise doubts about the safety of information once it leaves European soil.
Chinese tech firms have a track record of facing regulatory backlash in Europe when questions arise over government access. TikTok, for instance, has agreed to store some data in Europe, but doubts remain over what actually happens once data flows abroad. Consumer groups in Italy and Belgium raised the same question about DeepSeek: can personal details be exposed to external monitoring?
EU regulators often find it difficult to enforce rules against companies lacking local representation. Without a branch inside the Union, these businesses might dispute fines, ignore investigations, or argue they’re not subject to EU law. This can hamper the ability of authorities to impose meaningful sanctions.
Penalties under GDPR can be high, but many worry that some providers might not comply with them if they operate solely from outside the EU. Enforcement requires cooperation across borders, legal agreements, and practical channels to collect fines.
If the AI Act creates clearer structures for cross-border cooperation, regulators might respond more effectively to potential violations. DeepSeek’s case will likely shape how lawmakers design or refine enforcement mechanisms. They hope to prevent overseas firms from offering services in the EU while sidestepping local rules.
Italy’s Garante ordered DeepSeek’s app removed from Italian app stores. It took this step after receiving what it termed a “totally insufficient” response from DeepSeek about personal data collection, storage, and usage.
DeepSeek apparently argued that it wasn’t required to answer local regulators. That stance alarmed the Garante. The agency said that if a service is active in Italy, it must follow EU law and cooperate with oversight bodies. Blocking the service was an immediate measure.
Some users in Italy still report being able to access the chatbot if they downloaded it before the ban or by visiting the company’s website. However, authorities say DeepSeek remains under investigation, and any refusal to comply could have longer-term consequences. Officials want assurance that personal data is safeguarded.
This case could influence how AI policy evolves. Some officials see DeepSeek as a test of the GDPR’s reach and a preview of the AI Act in action. If the EU proves it can hold offshore providers accountable, it may encourage more responsible behaviour from AI developers.
European lawmakers have a stated goal: promote progress without sacrificing user rights. They have adopted a “human-centric” approach, which requires that any AI-driven innovation should not erode individual autonomy or privacy. By pushing firms to respect these principles, the EU hopes to set a global standard on data regulation.
Businesses and AI providers often adopt a patchwork approach when they enter new markets. But the EU has a reputation for detailed regulations and active enforcement. DeepSeek’s experience might encourage other global firms to establish robust data protection strategies if they wish to serve European customers.
It’s not all negative. Many regulators recognise that responsible AI can benefit society. Researchers in Europe want to drive ethical development, so new AI products can thrive if they honour local privacy rules. Firms that adapt quickly could gain a competitive edge in a market that values trust and transparency.
DeepSeek AI’s situation shows that regulators take GDPR obligations seriously. The Garante’s swift intervention highlights a priority to protect your data and hold companies to account when they appear to ignore EU standards.
Officials in Belgium, France, and Ireland have joined the spotlight on DeepSeek, reflecting broad coordination among data protection bodies. The European Commission may step in with stricter measures if non-compliance persists. With the AI Act on the horizon, these agencies are expected to expand their oversight.
The takeaway is that non-EU providers must openly meet data rules if they want to operate across Europe. Regulators are likely to insist on transparent disclosures and genuine cooperation. By acknowledging local laws and working with authorities, AI providers can avoid bans and secure a foothold in a region that prioritises user privacy.
