Artificial Intelligence & Machine Learning
,
General Data Protection Regulation (GDPR)
,
Next-Generation Technologies & Secure Development
Data Storage in China Sparks Privacy Concerns

The Italian data regulator launched an inquiry into data storage and processing practices of Chinese generative model DeepSeek following the Friday public debut of its R1 reasoning model.
See Also: OnDemand | Fireside Chat: Staying Secure and Compliant Alongside AI Innovation
The data protection authority, known as Garante, sent letters Tuesday requesting information from Hangzhou-based DeepSeek and Beijing-based DeepSeek Artificial Intelligence, the companies behind DeepSeek large language model. TechCrunch reported that the Irish Data Protection Commission also requesting details concerning how the company processes the data of Irish users.
Friday’s widespread introduction of the R1 model caused a crisis of confidence in the U.S. AI industry, with investors driving down the price of tech companies. Consumer interest sent DeepSeek to the top of the Apple App store. American companies have since questioned whether DeepSeek has actually made the low-cost AI breakthrough it purports to have made (see: Accusations Mount Against DeepSeek Over AI Plagiarism).
“The authority is considering the possible high risk for the data of millions of people in Italy, personal data are collected, from which sources, for what purposes, what the legal basis of the processing is, and whether they are stored on servers located in China,” Garante said. It gave DeepSeek 20 days to respond. Reuters reported Wednesday that the DeepSeek app is no longer available in the Apple and Google app stores in Italy.
Garante launched the probes based on a complaint it received from Euroconsumers, a coalition of five national consumer organizations.
The complaint references DeepSeek’s privacy policy, which Euroconsumers says shows the company disclosing that it illegally transfers user data to servers located in China. Commercial data flows involving European residents are subject to often brittle trans-national legal frameworks meant to shield Europeans from nation-state surveillance. The consumer organization also raised concerns about DeepSeek’s lack of clarity on whether it uses data for automated decision-making and its age verification process.
“The privacy policy published on the official website of the joint controllers, reveals multiple violations of European and national protection laws,” the organization said.>
The European Commission currently does have a standing legal framework permitting commercial data flows with China. DeepSeek additionally does not have an office in Europe, meaning its chatbot may not be governed by the General Data Protection Regulation, Europe’s privacy law, saidsaid Theodore Christakis, professor of European and digital law at University Grenoble Alpe in France
“DeepSeek may be the AI world’s hottest newcomer, but without robust data protection practices, its splash could turn into a GDPR compliance crisis. Let’s stay vigilant and ensure innovation doesn’t overshadow privacy and regulatory responsibilities,” Christakis said.
A European Commission spokesperson told reporters Tuesday that Europe will defend its citizens’ privacy. “The services that will be offered here in the EU by providers will respect our rules,” said Thomas Regnier. “This includes, indeed, privacy requirements.”