Italian Data Protection Authority bans DeepSeek for Italian market

In the past years, the Italian Data Protection Authority (Garante per la Protezione dei dati personali) has made clear statements towards big technology companies introducing their services in Italy, prior to the verification of GDPR and Italian Data Protection Act compliance. We are referring to the Clearview case of 2022, that caused a fine of EUR 20 million and the preliminary ban of the OpenAI AI tool, ChatGPT, in 2023.

The Garante, did not lose the opportunity to verify, by means of an investigation, the compliance of the new developed AI model, Deep Seek and this investigation lead to a temporary ban. DeepSeek is developed by two Chinese AI companies that specialize in open-source Learning Language Model (LLM) AI technologies. The generative AI language model and its code are freely available for use, modification, viewing, and designing documents for building purposes. This is one of the aspects that made DeepSeek a strong competitor of other well-known generative AI models like ChatGPT and had a strong impact on the markets, after its launch, especially in the US.

The Garante’s investigations

On the 28^th of January 2025, the Italian Garante requested the two Chinese companies, behind Deep Seek (Hangzhou DeepSeek Artificial Intelligence and Beijing DeepSeek Artificial Intelligence) to provide specific information on the chatbot service, both web- and app-based.

In the use of this technology, the Garante identified a high risk for the Italian data subjects, therefore it addressed  some clarification requests to the data controller, in light of the GDPR, with the purpose to obtain more details on:

• personal data categories collected,
• the sources used,
• the purposes pursued,
• the legal basis of the processing, and
• whether data are stored on servers located in China.

Further to that basic information on the lawfulness of the processing, the Authority requested more details to know if the data were used to train the artificial intelligence system and, in case personal data are collected through web scraping activities, if adequate information was provided to the users of the service.

DeepSeek’s Response

The response from DeepSeek was promptly provided to the Authority and included mainly the following information: according to the company, the services in Italy were not deployed and are not planned to be deployed, therefore the GDPR would not apply.

Reaction of the Authority

The response, however, was not found satisfactory and triggered the immediate reaction of the Authority. In fact, the Garante ascertained that, despite the app version was not available in the Italian smartphone operating platforms, the web-based version was actually operational (except for the limitation of specific recordings, due to suspected malicious attacks) and used by Italian data subjects, hence triggering the GDPR applicability. After recognising that the European data protection laws applied, the Garante identified several breaches, in particular:

• DeepSeek did not specify the details of the processing activities, in breach of the cooperation principle stated by Art. 31 GDPR, which requires controllers and processors falling into the EU Data Protection law scope, to collaborate with the supervisory authorities;
• The privacy policy was published only in English, against the transparency principle (hence, not immediately understandable by Italian data subjects) and did not provide sufficient information on the processing, nor on the legal basis for processing;
• Personal data storage is in China, in violation of the security measures stated at Art. 32 GDPR; finally,
• The controller did not appoint a Representative, which is a legal obligation for companies processing personal data under the GDPR scope and are not established in the European Union;

In consideration of the above, and in line with Art. 58.2 (f) GDPR, providing the supervisory authorities the power to inflict corrective measures, the Garante imposed a limitation of the processing, hence banned the use of DeepSeek AI technologies processing personal data of Italian data subjects. The limitation is valid until appropriate investigations will be carried out.

Finally, the Garante reminded that, failing the compliance with the limitations imposed in the Italian market, appropriate administrative and criminal sanctions shall apply.

The development and use of new sophisticated technologies is nowadays an aspect of our daily lives that has an impact on the security of our personal data and sometimes, carries concerns by the community of users. Measures such as the one imposed by the Italian Authority are a strong reminder for technology providers, that the EU regulatory and enforcement institutions already have the power to identify and intervene on operations that involve personal data, in conjunction with the more recent legislation on the Artificial Intelligence systems.