DeepSeek Questioned by DPA and Euroconsumers on User Data Processing

• Euroconsumers and Italian DPA have written to China-based DeepSeek regarding the processing of user data. 
• A deadline of 20 days has been extended to respond to the concerns raised by the consumer protection organization.
• DeepSeek has risen to fame for its low cost; however, how it stores and processes user data, especially of minors, is not clear.

DeepSeek is under scrutiny regarding the way it processes user data in accordance with the General Data Protection Regulation (GDPR), as Euroconsumers and the Italian Data Protection Authority (DPA) filed a complaint against the AI company.

Euroconsumers is a European consumer organization that works in coalition between Belgium, Spain, Portugal, Italy, Luxembourg, and Brazil.

A Forbes report confirmed that DeepSeek collects keystroke patterns and device IDs without any explanation as to how it helps them continue providing service.

The Italian DPA also sent a request for information to the China-based AI model developer asking how it collects its citizens’ data. They offered a deadline of 20 days to respond to the information request. 

Among the concerns expressed was how the data collection by DeepSeek falls under the privacy policy of China, which states the information is processed in compliance with the country’s legal obligations, performing tasks in the public interest– including protecting the interests of their people.

The Italian DPA asked Hangzhou and Beijing DeepSeek particular questions about the type, source, and purpose of the information it collects and processes within servers in the country. This includes the raw data used to train the AI models and the legal grounds on which such acts are conducted. 

Furthermore, they asked if the data of Italian nationals – both registered and otherwise – was collected through web scraping procedures or if the individuals were notified about it. 

Another concern expressed by the DPA was the lack of information on how DeepSeek protected or handled the data of minors. The AI giant’s policy states that it is not to be used by those under the age of 18. However, there is no mechanism to employ this policy or verify age on the platform. 

All this occurred in the middle of cyber attacks targeting the latest AI model version, DeepSeek R1, creating further speculation over data abuse in the hands of threat actors. 

Security researchers recently reported vulnerabilities in DeepSeek R1 that allowed jailbreaking, having the model share malicious codes, and information for creating explosive devices. The company website has also suffered cloning attacks leading to possible phishing scams.