As EU regulators clamp down, businesses should think twice before adopting the tool, argues Tara Raissi
DeepSeek, a company specializing in artificial intelligence, has attracted global attention for its affordable and accessible AI, quickly becoming one of the most downloaded free applications in the United States. Despite its rapid adoption, the company faces scrutiny from global regulators, particularly in Europe, where its storage of user data in China is under investigation by several countries for non-compliance with the General Data Protection Regulation.
Canadian organizations considering DeepSeek’s AI tools should be following the outcome of these investigations and the company’s cooperation with data authorities closely. DeepSeek’s non-compliance with the GDPR – viewed as the gold standard for protecting consumer information – will affect public confidence and complicate its adoption in Canada. An international regulator's ruling against the company will cast doubt on the adequacy of its privacy safeguards and compliance with Canada’s data protection laws. With Canada’s Digital Charter Implementation Act (Bill C-27) in legislative limbo, the GDPR’s take on DeepSeek may help guide Canadian regulators in responding to the company’s AI tool.
European regulators have expressed concern about gaps in DeepSeek’s privacy framework, including unfettered government access to user data. These concerns are helpful to Canadian organizations as they assess the company’s data handling practices. Failing to consider these red flags can expose businesses to compliance risks, regulatory scrutiny, monetary fines, and legal liability.
DeepSeek has positioned itself as a cost-efficient alternative to its competitors by reducing some of the expenses associated with developing and training AI models. Headquartered in China, it has built AI tools that rival its competitors at a fraction of the cost. Unlike proprietary AI systems that keep their code secret, DeepSeek uses open-source development for its smaller and earlier version models. Open-source development allows users to download and modify DeepSeek’s code without expensive licenses. The “DeepSeek effect” – the reduction of the high costs associated with the development and adoption of AI – is said to enhance access and foster innovation.
While DeepSeek promotes AI accessibility, regulators question whether its data protection measures keep pace with its expansion. Several European data protection authorities launched investigations into its compliance with the GDPR, including the implications of storing personal data in a country with unlimited government access to user data. Under the GDPR, data transfers outside the EU are permissible if the receiving country has “adequate” levels of protection of personal information. If not, transfers may still be allowed, provided that appropriate privacy safeguards are in place. Organizations must also ensure that data subjects have the right to access, correct, delete or object to processing their information and that legal remedies through courts or regulatory authorities are available to data subjects in case of data misuse. European regulators differentiate between these stringent GDPR protections and user rights under the Personal Information Protection Law of the People’s Republic of China to question whether China’s privacy framework meets the adequacy threshold for cross-border data transfers.
Italy’s data regulator, Garante, requested information from DeepSeek about its handling of user data, including whether personal information was held in China. DeepSeek responded that it was not subject to European laws because it did not operate in Italy. As a result, Garante banned DeepSeek’s data processing in Italy, citing privacy risks linked to China’s data protection framework. Belgium, France, the Netherlands, and Luxembourg have initiated similar inquiries into DeepSeek. The outcome of these investigations can impede DeepSeek’s adoption in Europe.
The investigations into DeepSeek carry global implications, including in Canada, where domestic laws impose strict requirements for transferring personal data to another jurisdiction. Protecting user data across borders is a key concern for Canadian regulators and consumers. For example, while the Personal Information Protection and Electronic Documents Act (PIPEDA) does not distinguish between domestic and international data transfers, it puts the onus on private organizations to use contractual terms to secure a comparable level of protection of personal information when data is transferred to any third party for processing. Since PIPEDA recognizes that contracts will not override the laws of another jurisdiction, it requires that organizations conduct their due diligence to rule out unwise transfers of personal information by considering all the elements of the transfer, including any legal requirements in the jurisdiction in which the third party operates that create privacy risk for user data. Non-compliance with these requirements will lead to regulatory intervention, monetary fines, and reputational damage to the organization handling user data.
DeepSeek’s reported cost-saving approach to AI development claims to make the industry more affordable, but regulators question its policy of storing user data in China. The outcome of these investigations can influence the Canadian consumer and regulatory outlook on DeepSeek. Understanding the privacy concerns highlighted by regulators abroad, the degree to which they align with domestic data protection standards and the company’s willingness to cooperate with authorities will determine how – and to what extent – DeepSeek’s technology can be used in various sectors at home.
