Pierluigi Paganini
January 31, 2025
Italy’s data protection watchdog has blocked Chinese artificial intelligence (AI) firm DeepSeek ‘s chatbot service within the country, citing a lack of information on its use of users’ personal data.
The AI-powered chatbot, recently launched globally, has rapidly gained popularity reaching millions of users.
This week, Italy’s Data Protection Authority Garante asked the AI firm DeepSeek to clarify its data collection, sources, purposes, legal basis, and storage, citing potential risks to user data.
“The Italian Data Protection Authority has sent a request for information to Hangzhou DeepSeek Artificial Intelligence and Beijing DeepSeek Artificial Intelligence, the companies that provide the DeepSeek chatbot service, both web- and app-based.” reads the announcement. “Given the potentially high risk for millions of people’s data in Italy, the Authority asked the two companies and their subsidiaries to confirm which personal data are collected, the sources used, the purposes pursued, the legal basis of the processing, and whether they are stored on servers located in China.”
Italy’s Garante also asked DeepSeek AI about its training process, web scraping practices, and user notifications. Garante ordered the AI firm to provide details on the personal data it collects, its sources, storage locations, legal basis, and collection purposes.
Italy’s privacy regulator required a response within 20 days; however, the company’s insufficient response to concerns over user data protection triggered the Garante’s decision.
Despite the Authority’s findings, the companies claimed they do not operate in Italy and that European regulations do not apply. The Authority has also launched an investigation into the matter.
“The Italian Data Protection Authority has urgently and immediately ordered the restriction of data processing for Italian users by Hangzhou DeepSeek Artificial Intelligence and Beijing DeepSeek Artificial Intelligence, the Chinese companies providing the DeepSeek chatbot service.” reads the new Garante’s announcement. “The restriction order—issued to protect Italian users’ data—follows a response from the companies received today, which was deemed entirely insufficient.
Contrary to the Authority’s findings, the companies claimed they do not operate in Italy and that European regulations do not apply to them. In addition to imposing the data processing restriction, the Authority has also launched an investigation.”
In early April 2023, the Italian Data Protection Authority temporarily banned ChatGPT due to the illegal collection of personal data and the absence of systems for verifying the age of minors.
The Authority pointed out that OpenAI does not alert users that it is collecting their data.
At the time the privacy watchdog said that there is no legal basis underpinning the massive collection and processing of personal data to ‘train’ the algorithms on which the platform relies.
The Authority carried out some tests on the service and determined that the information it provides does not always match factual circumstances so inaccurate personal data are processed.
The Authority claimed that ChatGPT exposes minors to inappropriate responses for their age despite the service being designed to respond to users aged above 13.
A few weeks later, OpenAI announced that access to its chatbot service ChatGPT was allowed again in Italy after the company met the demands of regulators.
The DeepSeek’s AI Assistant app is one of the most downloaded apps in different countries on the Apple App Store. However, last week the company announced they were forced to disable registrations for its DeepSeek-V3 chat platform following a “large-scale” cyberattack.
“Due to large-scale malicious attacks on DeepSeek’s services, we are temporarily limiting registrations to ensure continued service. Existing users can log in as usual. Thanks for your understanding and support.” reads a statement published by the company on its status page.
The AI company did not share details about the attack or its origin, however likely the platform was targeted by a massive DDoS attack.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, DeepSeek)
