The Italian Data Protection Authority, known as Garante, has blocked DeepSeek AI from processing Italians’ personal data due to concerns about how the Chinese AI model handles private information. Garante is not convinced by DeepSeek’s assertion that it does not operate in Italy and is therefore not subject to European Union laws, including the General Data Protection Regulation (GDPR). In a press release, Garante stated, “Contrary to the Authority’s findings, the companies stated that they do not operate in Italy and that European regulations do not apply to them.”
On Tuesday, Garante initiated an investigation into Hangzhou DeepSeek Artificial Intelligence and Beijing DeepSeek Artificial Intelligence, giving the companies 20 days to provide detailed information on how their AI chatbot complies with GDPR. The investigation will focus on what data is collected, the purposes for which it is used, where it is stored, and whether it has been used to train the AI model. As a result of the block, DeepSeek will no longer be available on app stores in Italy, though users may still access it online through virtual private networks (VPNs).
This situation mirrors a similar incident in April 2023, when OpenAI’s ChatGPT was banned in Italy for a month over privacy violations, resulting in a €15 million fine. DeepSeek’s parent companies, which are not legally established in any EU member state, are now vulnerable to investigations by data protection authorities in all 26 other EU countries. So far, Belgian and Irish authorities have opened probes, requesting information from DeepSeek about the processing and storage of their citizens’ data. The French data protection authority, CNIL, has also announced that it will analyze DeepSeek’s operations and question the company, while Portuguese and Spanish authorities are likely to follow suit.
The actions taken by Italian and other European authorities underscore the EU’s commitment to enforcing GDPR and protecting citizens’ data privacy, even when dealing with non-EU companies. This case highlights the challenges AI companies face in navigating complex regulatory landscapes, particularly in regions with stringent data protection laws. If DeepSeek fails to address these concerns, it could face significant fines, bans, or operational restrictions across the EU. More countries may join the investigation, further intensifying the scrutiny on DeepSeek and other AI companies operating in Europe.