Data quickly became the most valuable resource in the digital age. Technologies thrive on data and AI is perhaps the most data-intensive resource. However, with the use of data comes the great responsibility of ensuring user's rights under the GDPR are not breached. AI products, such as Deepseek, are therefore not immune from data protection compliance.
The Deepseek Case
The issues surrounding the use of Deepseek sheds light on the data protection implications of AI. Created by a Chinese large language model (LLM) developer, Deepseek is a generative AI model similar to Chatgpt, and therefore used for the same tasks as ChatGPT.
However, as the success of Deepseek took over the world, European countries such as Italy blocked the AI app in their respective countries. Countries such as Ireland, Germany and France have all requested further information from Deepseek on its data practices. Data protection authorities want to know what data is collected, where it is being stored, what the data is being used for and how long the data is retained. The main concern underlying European data authorities’ questions, is likely tied to the transfer of personal data outside the EU where concerns on the GDPR standard for protection of personal data may arise. Additionally, data protection authorities appear to be arguing that the extra territorial provisions of the GDPR should apply as Deepseek processes the data of EU citizens.
Deepseek's compliance with EU laws is likely to become more heightened in view of the applicability of the new AI Act. However, Deepseek's privacy policy evidently includes supplemental terms for users within the EEA, Switzerland, and UK. The latest update to Deepseek’s privacy policy was conducted on 14th February 2025, following actions by certain countries to ban or block the app. The publicly available privacy policy confirms that personal data is stored on servers located in China and therefore transfers of personal data outside the EU are very likely.
Lessons for Businesses
As a technology that relies significantly on data, AI cannot be implemented without a thorough assessment of the data protection considerations.
The AI Act itself mandates that AI systems must be data protection compliant. When businesses consider the adoption, implementation or deployment of AI systems, the data protection implications must be assessed at the start of the implementation process. Some aspects to consider include adopting privacy by design approach in the initial stages of adoption, the location of data storage, and the implementation of security measures to protect personal data.
Whether your business is based in the EU or outside the EU, businesses must prove they have met data obligations before launching their product. Data protection compliance cannot be considered as an afterthought.
How we can help
Our data and technology lawyers use their legal knowledge in data protection and AI to assist businesses in implementing AI while adhering to data protection regulations. Our experts can review your current practices, identify areas for improvement, and offer solutions tailored to your specific needs. Ensuring compliance not only protects your business from legal repercussion but also builds trust with your customers and enhances your reputation in the market.
Contact us to verify that your data and AI responsibilities are being met.
