| Emre İNCEOĞLU Lawyer | Ayşe ADIGÜZEL Trainee Lawyer | Duygu AYTAÇ Trainee Lawyer |
ABSTRACT Today, artificial intelligence technologies that attract global attention offer significant opportunities to various sectors while simultaneously bringing along complex problems from many perspectives including ethics, data security, compliance and similar aspects. The aforementioned technologies, which aim to reach the widest user base, draw attention not only from the standpoint of privacy and data confidentiality but also from a political perspective. The fact that artificial intelligence technologies improve themselves through user interactions leads to the model that appeals to the largest user base in the competitive environment becoming the model that accesses the most data and develops itself most rapidly. Recently, while discussions regarding artificial intelligence technologies continue, the use of the R1 model developed by the Chinese-origin company DeepSeek has begun to be prohibited in many countries considering critical points such as legal liabilities, data privacy, cybersecurity and similar matters.
Keywords: DeepSeek, Artificial Intelligence, ChatGPT, Digital Privacy.
INTRODUCTION
The artificial intelligence company of Chinese origin (“China”) established in 2023, Hangzhou DeepSeek Hangzhou DeepSeek Artificial Intelligence Co., Ltd. together with Beijing DeepSeek Artificial Intelligence Co., Ltd. (“DeepSeek”), first offered R1 (“R1”), an artificial intelligence model that develops open-source large language models on their platforms, to the global market in January 2025. The R1 model offered by DeepSeek to the market has broken conventions in the artificial intelligence world and ignited fierce competition by reaching large masses thanks to being user-friendly due to reasons such as being free of charge, having superior performance and not requiring subscription, and even being able to run smoothly on personal computers. Particularly this innovation from China has profoundly affected Silicon Valley giants and signaled the beginning of a new era in the artificial intelligence industry. DeepSeek’s global impact, while increasing the accessibility of artificial intelligence technologies, has raised important questions regarding the security of user data. This article provides comprehensive information about the sanctions implemented and instructions given by states and competent authorities based on various reservations of DeepSeek’s artificial intelligence models concerning the protection of personal data, privacy and cybersecurity matters.
I. GENERAL OVERVIEW OF THE ARTIFICIAL INTELLIGENCE MODEL DEVELOPED BY DEEPSEEK
R1 was offered to the market as an open-source model by DeepSeek, which began its activities as a small startup in China and develops large language models and advanced artificial intelligence solutions. DeepSeek is not only a large language model capable of human-like text generation and inference like competitors such as OpenAI’s GPT or Google’s Gemini, but also a comprehensive ecosystem offering artificial intelligence tools, application programming interfaces and platforms for developers as well as corporate and individual users. DeepSeek, which attracts attention with its open-source, high-efficiency and accessible structure, provides various advantages to different user groups. While offering cost savings, operational efficiency and sector-specific solutions for businesses, it grants developers free access with open-source advantage and the opportunity to develop artificial intelligence-based products. Individuals can use DeepSeek free of charge in their personal and/or professional work, learning processes and entrepreneurial activities. In these respects, DeepSeek offers an innovative and cost-effective artificial intelligence solution for both individual and corporate users. While DeepSeek gains strength against its competitors with the services it provides, it has been prohibited in some countries due to claims that the protection it provides in terms of data privacy is insufficient and related reasons. Since the development of artificial intelligence-based models largely depends on interaction with end users, the prohibition of R1 in certain countries is considered as an element that could weaken DeepSeek’s competitive power.
II. REACTIONS TO DEEPSEEK WORLDWIDE AND REGULATORY INTERVENTIONS
The rapid proliferation of artificial intelligence technologies brings along various concerns as well as the excitement it creates globally. The basis of criticisms directed at DeepSeek is constituted by the company’s data processing activities, particularly the failure to provide sufficient transparency in terms of policies regarding the collection, processing, storage and transfer of user data, and the fact that although the aforementioned activities are conducted in accordance with Chinese legislation, they show incompatibility with data protection regulations of different countries. In this direction, DeepSeek is increasingly attracting the attention of regulatory and supervisory authorities and is subject to stricter examinations. Because, as explicitly stated in DeepSeek’s privacy policy¹, the storage of all collected user data on servers located in China requires DeepSeek’s policies to be compliant with (i) the 2017 National Intelligence Law² (“NIL”) regulating the Chinese government’s national intelligence gathering activities and (ii) the 2021 Data Security Law³ (“DSL”) which tightens the data management regime and regulates data collection, processing, storage and transfer processes. While the aforementioned laws, within the framework of NIL, stipulate the obligation of real and legal persons to support, assist and cooperate in China’s national intelligence works, it is also stated that national intelligence institutions may request necessary support, assistance and cooperation from relevant institutions and individuals. This situation, in respect of data stored on servers in China, may provide the right to request access to data especially for state security or intelligence purposes and may create serious risks in terms of the security of DeepSeek’s user data. Considering the aforementioned regulations, DeepSeek’s reliability in the global market is being questioned by regulatory institutions.
A. ITALY⁴
Italy has so far been the first and only European Union (“EU”) member state to prohibit the use of the DeepSeek model. The Italian Data Protection Authority (“Garante”), upon the application made by Altroconsumo, one of Italy’s most important consumer rights organizations, requested information on 28 January 2025 from DeepSeek regarding the categories of personal data collected, the sources of data collected for training the model, the purposes and legal grounds of data processing, whether personal data is hosted on servers in China, and whether the data subjects are informed or not. DeepSeek, in its response to the aforementioned information request dated 29 January 2025, argued that it is not subject to the General Data Protection Regulation (“GDPR”)⁵ by stating that the company does not conduct and does not aim to conduct any activity in the Italian market, also citing as grounds that it removed the DeepSeek application from local application markets. Garante, taking into account DeepSeek’s aforementioned response, as a result of the examinations it conducted, although it confirmed that DeepSeek applications were removed from local application markets, decided that DeepSeek’s data processing activities are subject to GDPR pursuant to Article 3/2(a) of GDPR since the DeepSeek artificial intelligence system is still accessible by Italian users via website. Within the scope of the aforementioned decision given on 30 January 2025, (i) the failure to explicitly include necessary information contained in other relevant articles of GDPR including the legal grounds stipulated in Article 6 of GDPR in DeepSeek’s privacy policy (GDPR, art. 12, 13 and 14), (ii) the failure to appoint a representative established in the EU (GDPR, art. 27), (iii) the failure to establish the necessary cooperation mechanism with the competent data protection authority due to not responding to all information requested by Garante (GDPR, art. 31) and (iv) the failure to provide the necessary security level envisaged in GDPR due to the hosting of personal data in China (GDPR, art. 32), it was determined that the DeepSeek artificial intelligence model is not compliant with GDPR and its use in the country was prohibited. The aforementioned sanction is not the first sanction applied by Garante towards artificial intelligence models/systems; the authority, on 20 December 2024, as a result of an investigation process lasting approximately two years on the grounds that OpenAI’s ChatGPT artificial intelligence system was not compliant with GDPR, ruled an administrative penalty of 15 million euros against OpenAI.
B. USA
In the United States of America (“USA”), various restrictions have been imposed on DeepSeek due to serious security concerns. According to Techcrunch news⁶, which is a news platform regarding the technology world and entrepreneurship ecosystem, the restrictions and their grounds are stated as follows:
- In the notification sent to offices affiliated with the US Congress by the US House of Representatives, it was stated that DeepSeek is under review. According to information obtained by the news organization Axios, in the relevant notification, it was expressed that DeepSeek is being used by malicious persons for distributing software for malicious purposes and affecting devices with malware in the name of cybersecurity vulnerability. Based on these grounds, the US House of Representatives took security measures that restrict the functionality of DeepSeek on all congressional devices. Furthermore, it prohibited personnel from installing DeepSeek applications on mobile phones, computers or tablets used within the scope of official duties.⁷
- The Texas Governorship stated that Chinese-origin software poses security risks and in this direction published a decree prohibiting the use of such software on devices used by official institutions of the state. Although DeepSeek was not directly mentioned in the decision text, the aforementioned prohibited technologies were listed by referring to DeepSeek on the Governorship’s official website.⁸
- According to information obtained by the news organization CNBC, in an email sent to personnel by the US Navy, it was announced that the use of DeepSeek products is completely prohibited. As grounds for the prohibition decision, “potential security vulnerabilities and ethical concerns” regarding DeepSeek’s origin and use were shown. In the email, it was particularly emphasized that DeepSeek “must absolutely not be used for mission-related activities or for personal purposes”.⁹
- In the notification sent to personnel by NASA’s chief artificial intelligence officer, it was stated that (i) the fact that DeepSeek’s servers operate outside the USA poses a risk in terms of national security, (ii) the integration of DeepSeek with NASA’s data or its use on devices and networks allocated by the state is not authorized, and (iii) personnel’s access to DeepSeek through NASA devices and network connections managed by NASA is prohibited.¹⁰
In light of the above information, the USA considers DeepSeek’s operation on Chinese servers as a potential threat in terms of national security and has prohibited the use of the aforementioned technology especially in state institutions, defense industry and military units and similar critical areas.
C. AUSTRALIA
The Australian government, with the directive¹¹ it published on 4 February 2025, prohibited access to DeepSeek’s products, applications and internet services by public institutions and organizations. The relevant decision directly affects employees working in state organs, however uncertainties continue regarding whether the prohibition covers educational institutions and similar other public sector devices. However, it was stated that personal devices are not within the scope of this prohibition. The fundamental ground behind the prohibition is the risk that DeepSeek’s software infrastructure renders sensitive state information vulnerable against unauthorized accesses. Cybersecurity experts have issued warnings that potential security vulnerabilities in DeepSeek’s design could lead to it becoming a significant target for cybercriminals. In the report published by the Australian Cyber Security Centre, it was stated that DeepSeek’s lack of end-to-end encryption and dependency on Chinese servers could enable cyber attackers to access and manipulate this data, therefore could pose a serious threat in terms of national and public security.¹²
D. SOUTH KOREA
DeepSeek, as stated in the press release¹³ announced by South Korea’s Personal Information Protection Commission (“PIPC”) on 17 February 2025, decided to temporarily remove its application from relevant platforms for new users upon PIPC’s recommendation in order to improve its compliance with personal data protection laws. However, existing users who downloaded DeepSeek before the relevant decision will be able to continue using the current version of the application and the website. It was stated that when necessary “improvements and corrections” are made for DeepSeek to be made compliant with the country’s personal data protection laws, the application will be presented again to South Korean users. According to news made by Yonhap, a news agency based in South Korea, one day after the prohibition was announced, PIPC confirmed that DeepSeek transfers user data to ByteDance, which is China-based and includes Tiktok within its body, but stated that which data and to what extent it is transferred has not yet been determined and requested explanation from DeepSeek regarding data collection and management methods. DeepSeek emphasized its desire to actively cooperate with PIPC by announcing that it appointed a representative in South Korea and acknowledging that there are deficiencies in taking local protection laws into consideration.¹⁴
E. TAIWAN
In Taiwan, which has ongoing disputes with China based on legal status and sovereignty elements, in the statement¹⁵ made by Taiwan’s Ministry of Digital Affairs on 3 February 2025, it was stated that DeepSeek should not be used by public institutions and critical infrastructures on the grounds that it threatens national information security. The Ministry stated that the aforementioned measure covers employees of central and local government institutions, state schools, public economic enterprises, other semi-official institutions and those working in critical infrastructure projects, as well as employees working in foundations financed by the state. In the statement, it was emphasized that DeepSeek’s artificial intelligence model is a Chinese-origin product and carries security risks such as cross-border data transfer and information leakage.¹⁶
CONCLUSION
Comprehensive improvements that DeepSeek will make in the fields of security and privacy in order to address existing concerns on a global scale carry strategic importance in terms of sustaining its long-term existence and increasing its competitive power. Because DeepSeek’s ability to reach a more effective position in its ongoing competition with artificial intelligence providers and deployers seems possible only by eliminating the relevant reservations and thereby establishing trust with both individual and corporate users and competent authorities. Considering the local decision of Garante addressed in this article and similar studies conducted in EU member countries, attention is drawn to the importance of generative artificial intelligence being carefully regulated in a manner compatible with both technological developments and human rights. Furthermore, especially when it comes to companies outside the EU, it is emphasized that transparency and a fair approach in the processing of personal data are critically important. The prohibitive/restrictive decisions given to DeepSeek to date should also be carefully followed by all players including providers, deployers and similar ones working in the field of artificial intelligence and should be adopted as important guiding manuals in development, test and implementation phases. Thus, especially in terms of personal data sharing with competent authorities, by creating transparent, predictable and legally certain rule sets in order to ensure security and supervision, and by taking privacy-friendly measures, risks that may arise during the use of relevant technologies will be able to be minimized. This approach, while evaluating the potential of artificial intelligence technologies in the most effective manner, will also form the foundation of building a fair, transparent and accountable technology ecosystem by guaranteeing the protection of individuals’ personal data.
1 Deepseek, “Deepseek Privacy Policy,” Access Date: 24 February 2025, https://cdn.deepseek.com/policies/en-US/deepseek-privacy-policy.html
2 China Law Translate, “PRC National Intelligence Law (as amended in 2018)”, Access Date: 24 February 2025 https://www.chinalawtranslate.com/en/national-intelligence-law-of-the-p-r-c-2017/.
3 National People’s Congress of China, “Data Security Law of the People’s Republic of China”, Access Date: 24 February 2025, http://en.npc.gov.cn.cdurl.cn/2021-06/10/c_689311_2.htm.
4 Garante per la protezione dei dati personali, “Italian Data Protection Authority: Guidelines on Processing Personal Data in the Context of Artificial Intelligence”, Access Date: 06 April 2025, https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/10085432#english.
5 General Data Protection Regulation (GDPR), “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016,” Official Journal of the European Union, L119, 1–88, Access Date: 18 October 2024, https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng.
6 TechCrunch, “Deepseek: The countries and agencies that have banned the AI company’s tech.”, Access Date: 24 February 2025, https://techcrunch.com/2025/02/03/deepseek-the-countries-and-agencies-that-have-banned-the-ai-companys-tech/.
7 Andrew SOLANDER, “Scoop: Congress bans staff use of DeepSeek.” Access Date: 25 February 2025, https://www.axios.com/2025/01/30/house-congress-bans-deepseek-ai.
8 Texas Governor’s Office, “Governor Abbott announces ban on Chinese AI social media apps.” Access Date: 24 February 2025, https://gov.texas.gov/news/post/governor-abbott-announces-ban-on-chinese-ai-social-media-apps.
9 Hayden FIELD, “US Navy restricts use of DeepSeek AI: ‘Imperative to avoid using’.” https://www.cnbc.com/2025/01/28/us-navy-restricts-use-of-deepseek-ai-imperative-to-avoid-using.html.
10 Lora KOLODNY, “NASA becomes latest federal agency to block China’s DeepSeek on ‘security and privacy concerns’.” Access Date: 24 February 2025, https://www.cnbc.com/2025/01/31/nasa-becomes-latest-federal-agency-to-block-chinas-deepseek.html.
11 Australian Government Department of Home Affairs, “PSPF Direction 001-2025: DeepSeek Products, Applications and Web Services”, Access Date: 3 April 2025, https://www.protectivesecurity.gov.au/system/files/2025-02/PSPF-Direction-001-2025_1.pdf
12 Tom GERKEN, “Australia bans DeepSeek on government devices over security risk.” 4 February 2025. BBC, Access Date: 24 February 2025, https://www.bbc.com/news/articles/c8d95v0nr1yo?ysclid=m7hq8a8a5u845180718.
13 Personal Information Protection Commission, “DeepSeek Temporarily Suspends Its Application Service in Korea”, Access Date: 28 February 2025, https://pipc.go.kr/eng/user/ltn/new/noticeNoticeDetail.do
14 Yonhap News Agency, “DeepSeek sent S. Korean user data to China’s ByteDance: regulator.” Yonhap News Agency, Access Date: 24 February 2025, https://en.yna.co.kr/view/AEN20250218005300315?section=search.
15 Taiwan Ministry of Digital Affairs, “DeepSeek prohibited in government agencies to prevent cybersecurity risk.” Access Date: 23 February 2025, https://moda.gov.tw/en/press/press-releases/15104.
16 Reuters, “Taiwan bans government departments from using Deepseek AI.” Access Date: 23 February 2025, https://www.reuters.com/technology/taiwan-bans-government-departments-using-deepseek-ai-2025-02-03/..