In a landmark move that could reshape the competitive AI landscape in Europe, Germany’s Berlin Data Protection Commissioner has officially declared the data practices of Chinese AI firm DeepSeek to be unlawful under the EU’s General Data Protection Regulation (GDPR). Germany has asked Apple and Google to block the DeepSeek app from their stores.
This decision underscores a rising tide of regulatory scrutiny around non-European AI companies and signals the growing power of data protection law as a geopolitical lever, especially in the EU.
Why is DeepSeek in trouble?
At the heart of Germany’s concern is DeepSeek’s cross-border data transfer practices. The Berlin commissioner, Meike Kamp, determined that the company cannot convincingly demonstrate that German users’ personal data is protected in China at a level equivalent to EU standards, a requirement under GDPR for any data transfer outside the European Economic Area.
According to DeepSeek’s own privacy policy, it stores users’ inputs and uploaded files on servers in China. That raises major red flags. Chinese law grants sweeping access rights to government agencies over domestic companies’ data. Furthermore, European users would have little or no legal recourse in China if their data were mishandled or accessed unlawfully.
“Chinese authorities have extensive access rights to personal data within the sphere of influence of Chinese companies. DeepSeek users in China do not have enforceable rights and effective legal remedies as guaranteed in the European Union,” noted Kamp.
The consequences
While Germany cannot unilaterally enforce a full EU-wide ban, the implications of this move are substantial. By urging Google and Apple to remove DeepSeek from their app stores in Germany, regulators have essentially initiated a process that could lead to de facto regional exclusion. If Apple and Google comply, access to the app by German users, and possibly users across the EU, would be cut off.
Matt Holman, a UK-based AI and data protection lawyer, said, “It is certainly possible that this incident could lead to an EU-wide ban…The rules that apply in Germany are the same elsewhere in the EU and also in the UK.”
App store decisions tend to be regionally uniform. If DeepSeek is removed in Germany, it is highly likely to disappear across other European countries, regardless of whether individual regulators have yet taken action.
Will other EU countries follow?
Some already are. Some are moving in that direction:
- Italy has already ordered DeepSeek to block its app over similar data protection concerns.
- Ireland has launched an inquiry into DeepSeek’s processing activities.
- The Netherlands has banned the app on government devices.
- Belgium has recommended against using the app and is conducting further assessments.
- Spain’s consumer protection agency has urged the national data authority to investigate.
- The UK has not taken direct action but is actively monitoring potential national security threats.
Germany may be the first EU country to officially declare DeepSeek’s data transfers illegal, but it’s not alone in its concerns. And the Brussels effect is historically strong. The EU has demonstrated its ability to shape global digital and commercial practices by enforcing high regulatory standards, most specifically through GDPR.
The implications for AI
Germany’s action is not just about data protection. It’s also about trust and security in the era of generative AI. DeepSeek made waves earlier this year by claiming it could build ChatGPT-level models at a fraction of the cost. But its reliance on Chinese infrastructure, data policies and lack of transparency has drawn sharp regulatory attention in both Europe and the US. Lawmakers in the US are even considering legislation to ban executive agencies from using Chinese-developed AI models.
If the German-led scrutiny leads to a broader EU-wide ban, the implications are significant. It’s likely that any AI company that cannot meet EU data protection standards, especially in terms of data transfers and user rights, will find itself locked out of one of the world’s largest digital markets. Also, Germany’s request to Apple and Google elevates these private tech platforms into key enforcement actors. Their response could determine whether GDPR becomes an even more powerful tool for regulating foreign AI services.
This move also demonstrates that Europe is placing data protection and user rights at the center of AI governance. In the US, for example, innovation and national security often dominate AI policy. This is becoming a strategic differentiator, and possibly a barrier for companies operating under looser regimes.
It also could demonstrate that tech regulation is the new trade war frontier. DeepSeek may also be linked to Chinese military and intelligence operations. This aligns data protection with national security, a potent combination that could lead to faster regulatory alignment across the EU and UK.
What’s next?
Whether or not Apple and Google comply, Germany’s action is likely to accelerate investigations across the EU. The European Data Protection Board (EDPB) could coordinate a response and national regulators may feel increased pressure to issue similar rulings or bans to stay aligned.
If the EU eventually moves toward a harmonised position, as it often does with GDPR enforcement, DeepSeek could face the same fate as TikTok on certain government devices: A slow but steady squeeze from one of the world’s most regulatory-conscious markets.
As AI adoption grows and geopolitical tensions deepen, DeepSeek’s case may become a blueprint for how the EU keeps foreign AI companies in check, not with trade sanctions, but with data law.
Our global data protection courses will ensure compliance through engaging e-learning. Our interactive modules help staff stay compliant, reduce risk, and meet regulatory obligations across all industries. Get info here.
