When DeepSeek's newest artificial intelligence chatbot came onto the scene, it took nearly a month for regulators to take note of questions around its privacy practices.
The Chinese-based AI startup released its first models in November 2023. Subsequent releases since then slowly garnered more notice, as researchers claimed the DeepSeek AI models were performing just as well as their U.S. contemporaries and were much cheaper to train. The most recent model, DeepSeek-V3, was released in December 2024.
But it was not until the chatbot replaced OpenAI's ChatGPT as the top downloaded application in late January that DeepSeek really took off — Wall Street investors panicked over big-dollar U.S. company investments in light of the model's cheaper price tag. Alarmed by the company's candid disclosure that it stores its users' data on servers in China and collects information you share as well as from other sources, consumer advocacy groups asked Italy and Belgium's data protection authorities to investigate.
The situation sheds light on the tough task ahead for regulators as they try to monitor the rapidly changing AI industry.
The European Data Protection Board issued a statement July 2024 explaining its view on the enforcement role data protection authorities should play in EU AI Act enforcement, noting member states should appoint DPAs as market surveillance authorities and "the single points of contact for the public and counterparts at Member State and EU levels." A strong market outlook portends established players as well as newcomers will be entering the AI scene in 2025, according to The National Law review.
Future of Privacy Forum EU Senior Policy Counsel Vincenzo Tiani said the deluge of AI products and limited resources of DPAs means regulators will likely need to rely somewhat on consumer groups and media reports to alert them to potential data privacy violations.
"They don't have the time and resources to actively investigate every new thing, I would say," Tiani said. "There is already all the normal GDPR stuff, plus these new challenges with AI."
"I mean we have to be pragmatic; there's no other way to do it so far," he added.
There have now been several warnings issued around DeepSeek, including a ban in Italy after the company told the data protection authority, the Garante, that the EU General Data Protection Regulation regulation does not apply to its chatbot.
As of 26 Feb., several EU DPAs told the IAPP they are monitoring DeepSeek in actions that ranged from watching for updates from fellow regulators to issuing warnings to the public about the app's privacy risks. Ten respondents offered various insights into how they keep up with emerging AI apps. DeepSeek did not respond to a request for comment.
Staying apprised of emerging issues
The Garante, one of the few with an active investigation into DeepSeek, said it could not comment on its probe but did note its previous track record in bringing enforcement actions against AI companies, such as Replika and OpenAI's ChatGPT, as proof of its close attention to developments in the industry.
Some DPAs noted there may be greater coordinated action against the Chinese company after the EDPB broadened the scope of a taskforce dedicated to coordinating enforcement actions around ChatGPT to include it. They cited coordination at the board level as one of the key ways they stay updated on developments in the AI industry.
Lithuania's State Data Protection Inspector urged residents to not use the app or think carefully about how they use it, citing insufficient information about its privacy practices. Inga Mauricienė, an advisor in SDPI’s law division, said it counts members of society, news media, public insights and its peers as sources of AI intelligence.
"While we stay informed as much as possible, it's not feasible to track every new AI product on the market," she said.
Sweden's DPA, Integritetsskyddsmyndigheten, pointed to its regulatory sandbox efforts, which allow companies to preview their products for the agency and get insight into potential regulatory problems prior to entering the market, as one way it keeps up with AI technologies. Depending on what outside information is available, the IMY also looks at a product's capabilities, performance and functionality to determine whether it deserves more scrutiny.
"Additionally, we usually look into the development process, including training methodologies and data flows, to gain an understanding of the service, product or technology in question," IMY legal specialist Per Nydén said.
DeepSeek enforcement has not been confined to the EU.
South Korea's Personal Information Protection Commission DeepSeek from operating in the country until it changes on how it processes personal data. The PIPC may have more leverage than EU counterparts: the company had designated a domestic representative and wants to work with the commission to cooperate on changes, according to the agency.
The U.S. National Security Council was also looking at the application.
'It's not going away'
Marco Scialdone, the head of litigation and academic outreach at Euroconsumers, said the issues around DeepSeek's privacy practices were "crystal clear" after a colleague sent him an internal report about the chatbot asking him to take a look at it. The consumer group chose Italy as the first place to raise the alarm because it knew the Garante would likely take up the case, given its prior enforcement actions, he said.
But Scialdone noted DPAs are free to choose whether to act on a complaint. Since DeepSeek did not appoint a representative in the EU as required under the GDPR, all DPAs are able to tackle the issue.
He said it’s likely regulators will still need to rely on reports from the media and consumer groups when there is an issue because AI technology has changed so much recently. But he said DPAs are already adapting.
"There's this different approach now, it's more pragmatic, because the technology is here," Scialdone said. "We need to deal with it, because it's not going away, so we need to find a way. And I think this is the traditional path every time a new technology pops up."
FPF's Tiani said companies will have to make certain disclosures around their AI products as provisions of the EU AI Act take effect, which might make it easier for regulators to notice when a company is out of compliance. He noted DPAs will often choose a topic to focus on and alert businesses they may be audited, which gives them a chance to work together to solve potential problems.
"It's a constant dialogue between the DPAs, the enforcer, and the companies," he said.
Caitlin Andrews is a staff writer for the IAPP.
