AI and Privacy: Why the Italian Data Protection Authority Has Blocked DeepSeek

This article was originally published in Italian in Panorama on 31st Mar 2025.

Please note that this is a courtesy translation of the Italian language article originally published in the Panorama Magazine Issue at: https://www.panorama.it/tempo-libero/tecnologia/ai-e-privacy-perche-il-garante-ha-bloccato-deepseek-in-italia

On 30 January 2025, the Italian Data Protection Authority (Garante per la protezione dei dati personali) issued an injunctive order against DeepSeek – an advanced chatbot developed in China, similar to OpenAI's ChatGPT, known for its sophisticated language capabilities and for offering a more competitive economic model than its main Western competitors – prohibiting access to and the processing of personal data of Italian users. Following this decision, the application was removed from Apple’s and Google’s digital stores in Italy. The measure has sparked widespread debate on compliance with European data protection law and on the responsibilities of foreign technology companies operating, directly or indirectly, within the European market.

The Garante’s intervention is part of a broader framework of strict enforcement of the General Data Protection Regulation (GDPR), and follows previous orders issued against other digital platforms for alleged breaches of the Regulation. However, the DeepSeek case is particularly significant due to its geopolitical and technological context. Developed in China, the application has positioned itself as an alternative to OpenAI’s ChatGPT, offering advanced features at a more competitive price point than major Western rivals.

Grounds for the Garante’s Decision

The Authority launched an investigation to assess DeepSeek’s compliance with European data protection rules. The inquiry focused on the types of data collected, the sources of such data, the purposes of processing, and the legal basis invoked to justify such processing. One of the most critical aspects of the investigation concerned the location of the servers where data was stored and the risk of unlawful transfers of personal data outside the European Economic Area.

In response to these concerns, DeepSeek claimed that it does not operate directly in Italy and that it considered European data protection law to be inapplicable to its activities. However, the Garante rejected this argument, highlighting that the service was nonetheless accessible to Italian users via the web version. Accordingly, the company fell within the territorial scope of the GDPR under Article 3(2)(a) of the Regulation, which extends the GDPR’s applicability to non-EU companies processing the personal data of individuals residing in the European Union.

The investigation revealed multiple violations of the GDPR. Among the main issues identified, the Garante found that the application’s privacy policy was available only in English, in breach of the transparency obligations under Articles 12, 13 and 14 of the Regulation. Furthermore, the documentation provided failed to clearly identify the legal basis for processing personal data, resulting in a violation of Article 6. The lack of clear information on processing methods also prevented users from exercising their rights, as provided for in Chapter III of the GDPR.

Another major concern was the transfer of personal data outside the European Union. The investigation found that the data collected was stored on servers located in China, without the safeguards required under Article 44 of the Regulation for international data transfers. In addition, the company had failed to designate a representative within the European Union, as required by Article 27 of the GDPR for non-EU companies processing EU citizens' personal data.

Based on these violations, the Garante issued an injunction order, requiring DeepSeek to immediately cease the processing of personal data of Italian users.

Potential Consequences for DeepSeek

The immediate effect of the injunction does not exhaust the potential implications for DeepSeek, which may face more serious consequences. Violations of GDPR provisions may result in the imposition of substantial administrative fines. Pursuant to Article 83(5)(e) of the Regulation, the alleged infringements may lead to a fine of up to EUR 20 million or 4% of the global annual turnover, whichever is higher. The final amount will depend on several factors, including the severity of the violations, the nature of the data processed, the intentional or negligent character of the conduct, and the degree of cooperation with supervisory authorities.

In addition to administrative sanctions, criminal consequences cannot be ruled out. Failure to comply with a decision issued by the Garante constitutes a criminal offence under Article 170 of the Italian Privacy Code, which provides for imprisonment from three months to two years for those responsible.

The Future of AI Regulation and the Lessons of the DeepSeek Case

The Garante’s action against DeepSeek is not an isolated incident but rather part of a broader trend towards stricter oversight of artificial intelligence services and their impact on data protection. The Italian Authority’s decision represents a notable precedent, likely to influence the conduct of other non-EU companies offering services within the EU without aligning with GDPR requirements.

This case also highlights the growing need for more effective international coordination in regulating artificial intelligence. Different national and regional data protection laws adopt varying approaches, leading to potential regulatory conflicts and challenges for global tech companies. Organisations such as the United Nations and the OECD are working to develop common standards, but the path to a harmonised global framework remains complex and uncertain.

What clearly emerges from the DeepSeek case is that the European Union continues to exercise rigorous oversight over the protection of personal data, reaffirming that compliance with the GDPR is an essential requirement for any company intending to operate within the EU market. The Italian Authority’s decision shows that national regulators are ready to take firm action to ensure compliance with existing rules, regardless of the origin of the companies involved. For DeepSeek and other tech players, ignoring these obligations could result in significant legal and economic consequences, making data protection compliance a key factor for sustainable market access in Europe.

By: Avv. Carlo Diego D’Andrea, Managing Partner at D’Andrea & Partners Legal Counsel, National Vice President of the European Union Chamber of Commerce in China (EUCCC)