Data Privacy Enforcement Tracker

DeepSeek AI, the latest entrant in the artificial intelligence landscape, has made an explosive debut. As the first high-quality AI model released outside the usual industry leaders—OpenAI, Google, and Anthropic—it has immediately drawn attention. Since its release, millions of downloads and an overwhelming rush to access its API have underscored the appetite for a new player in the AI market. However, alongside its rapid adoption, DeepSeek AI has raised significant concerns among security researchers, privacy professionals, and regulators worldwide.

Privacy and Security Red Flags

NowSecure, a prominent security research firm, quickly uncovered troubling issues with DeepSeek AI’s infrastructure. Investigations revealed that:

• Unencrypted data was being transmitted across global networks, increasing the risk of interception by malicious actors.
• Device-specific information was being collected, raising concerns about detailed user tracking and surveillance.
• User data submitted in the application was being stored in the same data centers used by ByteDance, a company that has faced intense scrutiny over data privacy and its ties to Chinese government regulations.

These revelations have triggered global alarm, particularly among privacy regulators. Concerns over DeepSeek AI’s lack of transparency regarding its data handling have led to official inquiries and mounting restrictions.

Regulatory Backlash and Bans

Several regulatory bodies worldwide have sought clarity from DeepSeek AI regarding its data collection and usage policies. However, unsatisfactory responses have led to outright bans in certain jurisdictions. Australia, Canada, Italy, the Netherlands, Taiwan, South Korea, and Texas have already prohibited the use of DeepSeek AI, citing concerns over privacy risks, and national security. In addition, numerous other jurisdictions are considering similar prohibitions. Further, Reps. Josh Gottheimer, D-N.J., and Darin LaHood, R-Ill., on February 6, 2025 introduced the “No DeepSeek on Government Devices Act,” which would ban federal employees from using the DeekSeek AI application on government-owned electronics.

These moves follow a broader trend of increasing scrutiny of AI models that operate outside of established regulatory frameworks. The lack of clarity regarding DeepSeek AI’s compliance with data protection laws, particularly in regions with stringent regulations like the European Union has only fueled skepticism.

Why Should Users Care?

For everyday users, DeepSeek AI’s privacy concerns aren’t just a theoretical risk—they have real implications:

• Detailed user tracking: The collection of device-specific information allows for precise tracking of individuals, creating a surveillance risk.
• No limits on data sharing or use: Unlike AI models from OpenAI, Google, or Anthropic, which have clearer policies, DeepSeek AI has not provided transparency on how user data is shared or used.  See DeepSeek AI Privacy Policy.
• Exposure to Chinese data laws: Users of DeepSeek AI are subject to data regulations that differ significantly from those in the U.S. or EU, meaning personal information may not be protected under familiar legal standards.
• Government and corporate bans: Many federal and state agencies have already banned the use of DeepSeek AI, raising questions about its safety and reliability. If governments won’t allow it on their systems, should individuals?

Why Should Companies Care?

Companies, especially those integrating AI into their applications, must tread carefully when considering DeepSeek AI. Depending on the target customer, the risks may be substantial:

• For consumer facing applications: Companies must ensure their privacy policies accurately reflect how user data is handled. Given DeepSeek AI’s lack of transparency with regulators, this may be difficult or even impossible. Using DeepSeek AI could expose developers to legal liability if privacy disclosures are later found to be misleading or incomplete.
• For business-to-business applications with government customers: Many government agencies have prohibited the use of DeepSeek AI, meaning incorporating it into enterprise products for government clients could violate contracts or national security policies.
• For business-to-business applications with corporate customers: Many private companies have strict contractual obligations regarding data security and compliance with U.S. and EU privacy laws. Using DeepSeek AI could potentially breach these contracts if the company deems its data handling practices non-compliant. Further, the lack of clarity in how DeepSeek AI handles data could give rise to unintended violations of contractual restrictions and even more serious issues with respect to export control laws.

Final Thoughts: Proceed with Caution

The rapid evolution of AI models brings both innovation and uncertainty. The lack of consistency in how AI services are designed and regulated means that users and companies must be highly vigilant. DeepSeek AI’s case underscores the importance of understanding the AI tools being used or integrated into products.

Failing to scrutinize AI models and their data practices could result in unintended exposure of sensitive information, regulatory violations, and significant legal or financial consequences. As AI adoption continues to grow, ensuring compliance with privacy and security standards isn’t just best practice—it’s essential.