Is China’s DeepSeek AI compliant with GDPR?

China dramatically entered the AI arms race with the announcement of a new, supposedly ‘cheaper’ Chinese AI model called DeepSeek R1. The markets and commentators were agog at the model’s ability to do all the many things we know and love about AI these days, but at a fraction of the cost. The company claimed to have only spent $5.6 million powering their model, as opposed to the billions spent by OpenAI, Microsoft, and Google on their own, western-backed AI tools.

The announcement about DeepSeek comes just days after President Trump pledged $500 billion for AI development, alongside OpenAI’s Sam Altman and the Japanese investment firm Softbank agreed to put up the cash. With the DeepSeek news, Nvidia, a learning manufacturer of microchips used in AI development, suffered the biggest single day share plunge of any company in history, losing $600 billion in value.

Other chip makers shed up to 17% of their value too, not to mention energy stocks—which have done well on the AI bandwagon given the inordinate amount of energy AI requires—dropped between 21-28%. All in all, a good day’s work at Communist Party Headquarters in Beijing, undermining the West’s favourite AI tools.

The GDPR risks of DeepSeek AI

Has DeepSeek AI even heard of GDPR? Despite being available in Europe at the time of writing, and collecting EU personal data like email addresses and user interactions, DeepSeek’s privacy policy doesn’t offer a single mention of GDPR.

Another GDPR breach is that DeepSeek makes no mention on the source of its data training. There is no mention or transparency on if EU citizen data was used to train the model, and if so, what the legal basis is for doing so. GDPR mandates clarity on this within privacy policies.

All the data is stored in China, according to the privacy policy. That means personal data of users, including sensitive interactions, are recorded, monitored and stored on servers in the People’s Republic. GDPR requires strict safeguards when transferring EU data to third countries. China has not been rated as an equivalent jurisdiction by the EU Commission, meaning any data sent to China must have risk assessments and be subject to additional safeguards.

DeepSeek does not mention these additional safeguards, nor the legal basis for permitting data transfers to China. It claims to comply with ‘applicable data protection laws’ but makes no mention of what they are or how they comply. Nor is there any reference to any tools used to ensure data transfers are GDPR compliant, such as Standard Contractual Clauses (SCCs).

The Italian data protection authority, known for temporarily banning ChatGPT in 2022, has now opened an investigation into DeepSeek, demanding more detail on what personal data is colelcted, from which sources, how the systems are trained, and the legal basis for doing so. DeepSeek has 20 days to respond.

The cybersecurity risks of DeepSeek AI

After some testing by cyber intelligence platform Kela, DeepSeek generated a ransomware programme, alongside step-by-step instructions on how to distribute the ransomware and target victims. The output generated included working code and recommendations for deploying the malware on compromised systems, while ChatGPT would block such requests. DeepSeek also offered detailed guidance, including material and assembly techniques, on how to “create explosives that are undetected at the airport.”

In another test, DeepSeek was prompted to create a programme that steals usernames, passwords, and credit card details from compromised devices. Not only did it generate malicious scripts, but it also outlined how to distribute the malware to maximise damage.

DeepSeek also fabricated false details about OpenAI employees, including emails, phone numbers, and salaries. When tested, the model confidently generated a table with fake personal information.

The systems themselves also have significant vulnerabilities, particularly to prompt injection attacks. These attacks enable malicious actors to manipulate the AI’s responses, potentially resulting in unauthorized command execution or data breaches.

China’s hidden influence behind DeepSeek

DeepSeek’s risk does not end with GDPR. The fact it is owned and operated in China also brings significant compliance issues. It is standard practice that technology providers maintain that users are responsible for their own inputs. Meaning it could be a violation of the Terms of Service to upload content one doesn’t have the legal rights or authorisation to use. Such as uploading someone else’s book to ChatGPT, having the AI rewrite it, and passing the output off as one’s own.

DeepSeek AI, however, also makes users responsible for the outputs generated by the AI tool. The Terms of Service state:

You also represent and warrant that your submitting Inputs to us and corresponding Outputs will not violate our Terms, or any laws or regulations applicable to those Inputs and Outputs.”

DeepSeek goes on to list a range of prohibited outputs, from generating discriminatory content, to violations of business ethics, to damaging society or the economy, or those prohibited by laws and regulations, or those that harm DeepSeek’s interest. Short answer being, if China doesn’t like your DeepSeek outputs, you could be in for some trouble.

While DeepSeek R1 presents itself as a cost-efficient and high-performing AI model, its compliance, security, and ethical standards leave much to be desired. The glaring absence of GDPR safeguards, the storage of EU user data on Chinese servers without adequate protections, and the model’s alarming ability to generate malicious outputs raise significant red flags for anyone trying out the model.

Moreover, the opaque nature of its data sourcing and the sweeping liability clauses in its terms of service further compound these concerns. For organisations operating in the EU or adhering to Western compliance frameworks, adopting DeepSeek could open the door to legal, reputational, and cybersecurity risks. As AI innovation accelerates, so too must the vigilance required to ensure that these technologies are safe, reliable, and compliant with global standards.

Want to know more about AI regulation? Download our comprehensive guide to AI and compliance.


Download Guide

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.