Italian Data Protection Authority Blocks DeepSeek Over GDPR Privacy Violations

On January 27, 2025, Italy's data protection authority Garante per la Protezione dei Dati Personali issued an order blocking DeepSeek, a Chinese AI company, from processing personal data of Italian users. The action mirrors the regulator's March 2023 temporary ban on ChatGPT, demonstrating continued scrutiny of AI companies' compliance with the General Data Protection Regulation (GDPR). The Garante cited several specific violations in its enforcement action against DeepSeek. The primary concerns included the company's failure to provide transparent information about how personal data is collected and processed, lack of adequate legal basis for processing personal data under GDPR Article 6, and insufficient privacy safeguards for European users. The regulator noted that DeepSeek's privacy policy and terms of service did not meet EU standards for clarity and comprehensiveness. DeepSeek, developed by Chinese company High-Flyer Capital Management, had gained significant attention for its competitive performance relative to leading Western AI models while claiming lower computational costs. The service processes user conversations and queries, potentially collecting vast amounts of personal data including sensitive information shared in conversations. The Italian regulator expressed particular concern about the cross-border transfer of this data to China without adequate safeguards. This enforcement action is part of a broader pattern of EU regulators challenging AI companies over privacy compliance. Following Italy's ChatGPT ban in 2023, which was lifted after OpenAI implemented additional privacy measures, other EU authorities have increased scrutiny of AI services. The European Data Protection Board has emphasized that AI companies must demonstrate clear lawful basis for processing personal data and implement privacy-by-design principles. The blocking order requires DeepSeek to immediately cease processing personal data of Italian users until it can demonstrate full GDPR compliance. This includes appointing an EU representative, conducting data protection impact assessments, implementing appropriate technical and organizational measures, and revising its privacy documentation to meet EU standards. The company faces potential fines of up to 4% of global annual revenue if it fails to comply.