DeepSeek and personal data transfers to China

DeepSeek AI may disrupt laws on data protection and transfers on both sides of the Atlantic, as well as disrupting US markets.

Alongside the European market for electric vehicles, US tech markets are being disrupted by news of cheaper, faster technology shipped straight from China. DeepSeek is a new app which provides AI-driven capabilities including a large language model, code generator and maths calculator, which has already proved incredibly popular and powerful, with better stats than ChatGPT. The company behind it claims to have developed these tools much more cheaply than equivalent US models, with a spend of less than $6 million: reportedly less than Universal used on a discarded version of Shakespeare in Love starring Julia Roberts. 

Although neither of these claims may be entirely true, there is no doubt that the news has raised hopes that energy and resource needed to develop AI models will be less than feared. This was bad news for the chip company Nvidia which suffered the largest single day loss ever on the US stock market – a cool $600 billion. At the same time, it may have been a tricky day for data protection, as the very fast adoption in the US and Europe of an app based in China poses data protection risks which are worth exploring. 

Data flows to China

Data transfers to China are increasingly under scrutiny. Rights group NOYB, famous for disrupting transfers of European personal data to the US through its groundbreaking “Schrems” actions in the European court, has recently raised complaints with several EU data protection regulators about the lawfulness of transfers to China by online platforms such as Shein and TikTok.  

The DeepSeek Privacy Policy describes the data which is collected from users and confirms that it is stored in servers in China under the control of two Chinese registered companies. It includes profile information, user prompts, technical information, usage information, cookies and payment information.

When it comes to transfers, if this is an app being downloaded and used voluntarily by individual users, then there won’t be a transfer for European personal data transfer rules, as they won’t come within scope of the GDPR, as confirmed for the UK GDPR in the ICO’s guide to international transfers. This is because individuals are acting in their personal capacity for their own purposes when they are sending the data. However, if the Chinese companies then share the personal data with other bodies in China or elsewhere, this comes under UK/EU transfers law and requires appropriate levels of data protection, although there would be challenges in proving and enforcing this. They would not yet be subject to an NOYB-style complaint about transfers as there is no business or organisation exporting information to China. 

GDPR compliance

Beyond transfers, on the subject of general data protection compliance, in theory DeepSeek should be complying with the GDPR when it is processing personal data received from Europe, even though this is sent for household and personal use, as confirmed in Recital 18. Compliance would include appointing an EU (or UK equivalent) representative, if it is undertaking targeted sales or monitoring activity. The recent NOYB action may put them off doing this, as this provides the trigger and target for transfers enforcement.

US federal laws on data transfer

For US users, information divulged by or collected from them includes material which it would be unlawful to transfer to China under the US “countries of concern” DoJ Rule, which covers for example the combined IP address and email address of more than 100,000 people. But the DoJ rules aren’t aimed at individual voluntary transfers by US citizens, which is effectively what is happening here. The controversial law which effectively banned TikTok in the US, and which is in a state of suspended animation under the new administration, wouldn’t seem to be in play either, since it only applies to sites which host user-generated content. 

As well as concerns about transfers to China, and any accompanying use of data for training more AI systems, there may be more general security concerns. These will only increase after the company paused registrations for new users after reporting “large scale malicious attacks”. 

For UK and EU businesses 

So where does that leave businesses in Europe? 

Possible concerns for corporates, including law firms, would be formal adoption of the DeepSeek app by UK or EU companies which would bring transfers within data protection law, and require risk assessment and safeguards. In addition, informal use of the app by individual employees for work purposes could come under the GDPR security and transfer rules, explored in this Shoosmiths article. 

Where do we go from here?

That just leaves a wider question: should Europe and the US permit a rival AI superpower to harvest valuable information from its citizens without any controls by tempting them in at an individual level with amazing free stuff? Perhaps we should all remember the old adage about free content on the internet: if there’s no charge, then we are the product. What we see happening with DeepSeek is something slightly new, and not covered by current data protection rules in Europe, nor by national security data laws in the US. 

Trump has called DeepSeek a wake-up call which will stimulate US companies – and no doubt UK ones - to greater and faster innovation. This may be so, but it may also stimulate governments to impose new rules to control information flows where products and services are offered online, and countries may wish to start closing off access where they perceive that national security and development of sovereign AI capability are too valuable to be offering in exchange for new and exciting AI tools.