The Garante imposes a definitive limitation on the processing of Italian users’ personal data

On 30 January 2025, the Italian Data Protection Authority (Garante or Authority) imposed, as a matter of urgency and with immediate effect, a definitive limitation on the processing of Italian users’ personal data on Hangzhou DeepSeek Artificial Intelligence and Beijing DeepSeek Artificial Intelligence (the “Companies”), the Chinese companies providing the DeepSeek chatbot service (DeepSeek). DeepSeek is an open-source large language model (LLM) that has gained attention for its cost-efficient development process.

At the end of January 2025, the Garante received a complaint from Altroconsumo (one of the leading consumer organisations in Italy) alleging serious violations of the Regulation (EU) 2016/679 (GDPR) by DeepSeek’s processing activities discovered while analysing the contractual conditions and functioning of the Chinese AI service.

On 28 January 2025, due to the high risk to the data of millions of Italians (as many likely downloaded DeepSeek soon after its launch), the Garante sent to the Companies a request for information. The Companies had 20 days to provide the Garante with details about (i) the categories of personal data collected, (ii) the sources of personal data (e.g., whether personal data were collected through web scraping activities), (iii) the purposes and legal bases for processing, (iv) the country where data were stored, and (v) whether and how the obligation to inform users was fulfilled.

The companies responded to the Garante before the 20-day period expired, but the Authority found the responses insufficient and inadequate, leaving unresolved questions about the processing of personal data. The Companies claimed that (i) they did not operate in Italy, (ii) they had removed the DeepSeek app from the app stores, and (iii) they were not subject to the GDPR. However, this position conflicted with the evidence gathered by the Garante and increased suspicions about the lack of transparency in the Companies’ operations.

Although on 30 January 2025, Deepseek was no longer available in the Apple and Google App Stores, nor was it accessible via the QR Code on the website linking to those App Stores, it was still accessible through the website, even if there was a sign-up restriction due to large-scale malicious attacks on DeepSeek’s services.The Garante therefore concluded that the Companies unquestionably offered DeepSeek’s services to Italian data subjects and, as a result, the provisions of the GDPR are applicable, including the obligation to appoint a representative in the EU under Article 27 GDPR.

The Garante also noted that the privacy policy of the DeepSeek service expressly informs users that the personal data collected are stored in China, in violation of the safeguards provided for by the GDPR, in particular Article 32 concerning the security of processing.

Even if the information collected confirmed several of the Garante’s concerns on the risks of the processing for Italian users’ personal data, the Companies did not provide any explanation on the main aspects of the processing activities carried out in the context of the provision of the DeepSeek’s services (e.g., categories of personal data collected, purposes and legal bases for processing), nor was such information clearly set out in Deepseek’s privacy policy.

Taking into account the lack of cooperation and the ascertained concrete risk to the privacy of users in Italy, the Garante adopted, as a matter of urgency, an immediate and definitive limitation on the processing activities regarding Italian users. This decision prevents the Companies from collecting, processing or storing data of Italian users until all the critical issues arising from the investigation of the Authority will be clarified and duly fixed. Indeed, the Garante is currently carrying out an in-depth investigation into DeepSeek’s compliance with the GDPR, also to assess the impact on data subjects’ rights of what was unduly collected through this service.

DeepSeek’s “block” imposed by the Garante “is an emblematic case that once again highlights the significant cultural differences in how data protection is also understood: democratically and transparently ensured in Europe and subordinated to state control in China and many other countries where the GDPR is not in force”, declared one of the four Panel Members of the Garante in a recent interview.

The Garante considers that this local case, which is being followed by similar initiatives in other EU countries, underlines the strategic importance of careful regulation of generative AI that always and in parallel combines technological development and people’s rights, as well as the need for a diligent attitude to transparency and fairness in the processing of personal data, especially when it involves non-EU companies.