The column – An Italian in China
On January 30, 2025, the Guarantor for the Protection of Personal Data adopted an inhibitory measure against Deepsek – An advanced chatbot developed in China, similar to Openai chatgpt, known for its advanced linguistic skills and for a more competitive economic model than the main western competitors – by prohibiting their access and processing of personal data of Italian users. Following this decision, the application was removed by Apple and Google digital stores in Italy. The provision raised a large debate on compliance with the European legislation regarding the protection of personal data and on the responsibilities of foreign technological companies that operate, directly or indirectly, in the European market.
The intervention of the Guarantor is part of a larger framework of rigorous application of the General Data Protection Regulation (GDPR) and follows previous measures adopted against other digital platforms for alleged violations of the legislation. However, the Deepseek case takes on a particular relevance due to the geopolitical and technological context in which it is placed. The application, developed in China, has established itself as an alternative to Openai chatgpt, offering advanced features at a competitive cost compared to the main western competitors.
The reasons for the provision of the Guarantor
The authority has started an investigation to verify the conformity of Deepseek to the European rules regarding the protection of personal data. The attention focused on the type of data collected, on the sources of supply, on the purposes of the processing and on the legal basis that legitimizes it. One of the most critical aspects of the investigation concerned the location of the servers on which the data are archived and the risk of illegal transfers of personal information outside the European economic space.
In the face of these requests, Deepseek declared that he did not operate directly in Italy and not to consider European legislation to his business applicable. However, the Guarantor considered this position not sufficient, underlining that the service was however accessible to Italian users through the web version. Consequently, the company included in the jurisdiction of the GDPR pursuant to article 3, paragraph 2, letter a), of the regulation, which also extends its applicability to non -European companies that process data from residents in the European Union.
The investigation highlighted several violations of the GDPR. Among the main critical issues, the Guarantor found that the Privacy Policy of the application was available only in English, in contrast with the transparency obligations provided for in articles 12, 13 and 14 of the regulation. In addition, the documentation provided did not clearly specify the legal basis of the processing of personal data, configuring a violation of article 6. The lack of clear information on the methods of processing also prevented users from exercising their rights, as required by chapter III of the GDPR.
Another criticality concerned the transfer of personal data outside the European Union. According to what emerged from the investigation, the information collected was stored on servers located in China, without the guarantees requested by article 44 of the regulation for the transfrontier transfer of personal data. In addition, the company had not designated a representative established in the European Union, as required by article 27 of the GDPR for non -European companies that process data from community citizens.
On the basis of these violations, the guarantor has adopted a inhibitory measureby ordering Deepseek to immediately cease the processing of personal data of Italian users.
The possible consequences for Deepseek
The immediate effectiveness of the provision does not exhaust the potential implications for Deepseek, which could face more serious consequences. The violation of the provisions of the GDPR may in fact involve the imposition of significant administrative sanctions. Pursuant to article 83, paragraph 5, letter e), of the regulation, the contested violations could lead to a penalty up to 20 million euros or equal to 4% of the global annual turnoverdepending on what is the highest amount. The determination of the sanction will depend on various elements, including the severity of the violations, the nature of the processed data, the intentional character of the contested conduct and the degree of cooperation of the company with the control authorities.
In addition to administrative penalties, the possibility of criminal consequences. Failure to comply with a provision of the guarantor in fact constitutes a crime pursuant to article 170 of the Italian privacy code, which provides for the possibility of a prison sentence from three months to two years for responsible subjects.
The future of the AI regulation and the lesson of the Deepseek case
The intervention of the Guarantor against Deepseek does not represent an isolated episode, but is part of a wider trend of strengthening the supervision of the services of artificial intelligence and on their impact on the protection of personal data. The decision of the Italian Authority constitutes a previous relevantintended to influence the behavior of other non -European companies that intend to offer accessible services within the European Union without adapting to the obligations imposed by the GDPR.
This story also highlights the need for a international coordination more effective in regulating artificial intelligence. The various national and regional regulations regarding the protection of data adopt different approaches, creating potential regulatory conflicts and obstacles for technological companies operating on a global scale. Organizations such as the United Nations and the OECD are trying to define common standards, but the path to harmonized regulation still appears long and complex.
What emerges clearly from the Deepseek case is that the European Union continues to exercise one stringent vigilance On the protection of personal data, confirming that compliance with the GDPR is an essential requirement for any company that intends to operate in the EU market. The decision of the Italian Guarantor shows that national authorities are ready to intervene decisively to guarantee compliance with current regulations, regardless of the origin of the companies involved. For Deepseek and for other technological companies, ignore these obligations could involve legal and economic consequences of great importancemaking compliance with the data protection legislation a determining factor for their sustainability in the European market.
Curated by: Avv. Carlo Diego D’Andrea, Managing Partner of D’Andrea & Partners Legal Counsel, national vice president of the European Union Chamber of Commerce in China (Euccc)
