º¬Ðß²ÝÉçÇø

DeepSeek quickly attracted the attention of the world, receiving a positive overall reception. However, it also blipped on the radar of foreign data regulators with concerns over data security. Observing the startup¡¯s struggle with Italian authorities, Kenneth Zhou, head of legal and compliance (Asia-Pacific North) at SIG Group, shares his insights and advice for outbound Chinese companies

IN THE AGE of outbound investment, overseas compliance is at the top of everyone¡¯s agenda. In the case of AI and internet companies, offering products and services to users worldwide, pressure for data compliance can quickly become overwhelming.

According to a press release from the Italian Data Protection Authority (Garante per la Protezione dei dati personali, or the Garante) on 28 January, it had requested DeepSeek to confirm the following details: the categories of personal data collected; the sources of such data; the purposes of data collection; the legal basis for processing personal data; and whether such data is stored on servers located in China.

The Garante also inquired about the kind of information DeepSeek uses to train its AI system. In cases where personal data is collected through web scraping activities, DeepSeek was further required to clarify how registered and non-registered users are informed about the processing of their data.

The Garante granted a 20-day response period. In its press release on 30 January, DeepSeek claimed that the EU data privacy laws did not apply to it since the company does not operate in Italy. The Garante issued an emergency order restricting DeepSeek from processing the personal data of Italian data subjects. On the same day, DeepSeek was removed from the App Stores and Google Play in Italy.

What went wrong?

The Garante¡¯s order shows that it identified the following key data compliance issues with DeepSeek:

1. The updated privacy policy on the website was provided only in English;
2. The privacy policy failed to specify the legal basis for conducting personal data processing and lacked information on the processing activities performed when providing the services;
3. The collected personal data was stored within the territory of the People¡¯s Republic of China, which does not comply with the data security requirements of the EU General Data Protection Regulation (GDPR); and
4. The data controller had not designated a representative by written mandate.

The Garante¡¯s investigation is ongoing, so it is not yet clear whether DeepSeek fails to comply with the GDPR or the new EU AI Act (2024) in other respects. Although many perceive this as another deliberate, politically motivated crackdown on China¡¯s tech sector, judging from the above-mentioned publicly disclosed information, the issue may well be more subtle than meets the eye.

First and foremost, the Garante¡¯s cautious approach towards tech products is by no means limited to Chinese companies. For instance, it imposed a fine amounting to EUR20 million (USD21.8 million) on the US-based Clearview AI in 2022, and even temporarily banned ChatGPT in 2023. These cases demonstrate that geopolitical factors may not necessarily be a primary consideration for this regulatory body.

The author does not find the data compliance issues listed by the Garante to be unreasonable. In fact, in many instances, equivalents can be found in China¡¯s legal framework, including the Personal Information Protection Law (PIPL), the Cybersecurity Law, the Data Security Law, the Interim Measures for the Management of Generative AI Services, and the Regulations on the Protection of Minors in Cyberspace.

For example, while the Garante challenges the legal basis for data processing, article 13 of the PIPL has similar rules for the basis of processing, with the core requirement being ¡°obtaining individual consent¡±, or other statutory exemptions. The EU¡¯s requirement for appointing a representative is also comparable to article 27 of China¡¯s Data Security Law, which requires the ¡°designation of a data security officer¡±.

It can be speculated that the Garante may, in future penalty decisions, cover cases where personal information is used for algorithmic training without authorisation or consent. A similar provision can be found in China¡¯s Interim Measures for the Management of Generative AI Services. As stipulated in article 7, ¡°providers of generative AI services shall lawfully conduct training data processing, such as pre-training and optimisation training … Where personal information is involved, they shall obtain individual consent or meet other circumstances permitted by law.¡±