EC Not Acting on DeepSeek Concerns but EU Privacy Watchdogs Are
The European Commission hasn't taken formal steps under the AI Act (AIA) concerning the DeepSeek AI chatbot, an EC spokesperson told us. However, several EU data protection authorities (DPAs) are probing whether DeepSeek has complied with the General Data Protection Regulation (GDPR).
Sign up for a free preview to unlock the rest of this article
The EC continually monitors market and technology developments for their potential effects on the EU, and under the AIA, the EU AI Office will be responsible for watching developments in the field of advanced AI models, the commission's spokesperson said. However, the spokesperson added, those provisions aren't applicable until August. Any company can offer its services in the EU provided it complies with EU law, including the GDPR, the spokesperson noted.
CNIL, the French DPA, hasn't recorded reports or complaints about DeepSeek, it said in an email Monday. Its AI department is analyzing the tool and, to better understand how its AI system works and the data protection risks, it will send DeepSeek questions.
Italian DPA Garante last week banned Hangzhou DeepSeek AI and Beijing DeepSeek AI "as a matter of urgency and with immediate effect." The ban followed DeepSeek's assertion that its companies don't operate in Italy and so EU law doesn't cover them. Italy's move prompted similar action from Texas Governor Greg Abbott (R) (see 2501310045).
The Irish Data Protection Commission (DPC) has reportedly asked DeepSeek for information on how it processes Irish citizens' personal data. The DPC didn't comment. Other DPAs reportedly examining DeepSeek include Croatia and Belgium.
"Generative AI developers and deployers need to make sure people have meaningful, concise and easily accessible information about the use of their personal data and have clear and effective processes for enabling people to exercise their information rights," a U.K. Information Commissioner's Office spokesperson told us Monday. The office said it will continue engaging with stakeholders on promoting effective transparency measures, "without shying away from taking action when our regulatory expectations are ignored."
It's unsurprising to see European regulators scrutinizing "data practices that touch on two of the most sensitive issues for them: AI and international data transfers," Hogan Lovells privacy attorney Eduardo Ustaran emailed Monday. It's understandable that they want to be knowledgeable on this topic, "which is so prone to hype."
Ustaran said he expects that as DPAs typically do, they'll each send separate requests for information about DeepSeek's data protection practices, focusing on things like the legal basis for processing, mechanisms in place to comply with data protection by design, and the assessment of risks around international data flows.
Last week, Wiz Research identified a publicly accessible ClickHouse database belonging to DeepSeek that allows full control over database operations, including the ability to access internal data, Wiz blogged. "The exposure included over a million lines of log streams containing chat history, secret keys, backend details, and other highly sensitive information," Wiz Research said. When researchers notified DeepSeek, it "promptly secured the exposure."