ARTICLE
13 February 2025

DeepSeek And Personal Data Transfers To China

S
Shoosmiths

Contributor

Shoosmiths logo

Shoosmiths is a law firm clients choose for excellent service, incisive thinking and above all for our ability to focus on what matters.

There is no secret to our growth over recent years. Clients love working with Shoosmiths people because of the way we work and the results we consistently deliver for them.

Our client list speaks volumes for the quality of our lawyers and the experience they provide; from Mercedes-Benz, Octopus Ventures and Travelodge to property developers and some of the UK's largest banks, we work with a growing number of the FTSE 250 and some of the world's most exciting and ambitious growth businesses.

At Shoosmiths, innovation is in our DNA. That’s why the FT recognises us as one of Europe’s most innovative law firms.

Explore Firm Details
DeepSeek AI may disrupt laws on data protection and transfers on both sides of the Atlantic, as well as disrupting US markets.
United Kingdom Privacy
Alice Wallbank

What matters

UK and EU companies will need to understand how data protection laws work for transfers to China, and how they should control app use by employees.

What matters next

Concerns about DeepSeek may stimulate new rules on transfers based on national security as well as data protection in many jurisdictions.

DeepSeek AI may disrupt laws on data protection and transfers on both sides of the Atlantic, as well as disrupting US markets.

Alongside the European market for electric vehicles, US tech markets are being disrupted by news of cheaper, faster technology shipped straight from China. DeepSeek is a new app which provides AI-driven capabilities including a large language model, code generator and maths calculator, which has already proved incredibly popular and powerful, with better stats than ChatGPT. The company behind it claims to have developed these tools much more cheaply than equivalent US models, with a spend of less than $6 million: reportedly less than Universal used on a discarded version of Shakespeare in Love starring Julia Roberts.

Although neither of these claims may be entirely true, there is no doubt that the news has raised hopes that energy and resource needed to develop AI models will be less than feared. This was bad news for the chip company Nvidia which suffered the largest single day loss ever on the US stock market – a cool $600 billion. At the same time, it may have been a tricky day for data protection, as the very fast adoption in the US and Europe of an app based in China poses data protection risks which are worth exploring.

Data flows to China

Data transfers to China are increasingly under scrutiny. Rights group NOYB, famous for disrupting transfers of European personal data to the US through its groundbreaking "Schrems" actions in the European court, has recently raised complaints with several EU data protection regulators about the lawfulness of transfers to China by online platforms such as Shein and TikTok.

The DeepSeek Privacy Policy describes the data which is collected from users and confirms that it is stored in servers in China under the control of two Chinese registered companies. It includes profile information, user prompts, technical information, usage information, cookies and payment information.

When it comes to transfers, if this is an app being downloaded and used voluntarily by individual users, then there won't be a transfer for European personal data transfer rules, as they won't come within scope of the GDPR, as confirmed for the UK GDPR in the ICO's guide to international transfers. This is because individuals are acting in their personal capacity for their own purposes when they are sending the data. However, if the Chinese companies then share the personal data with other bodies in China or elsewhere, this comes under UK/EU transfers law and requires appropriate levels of data protection, although there would be challenges in proving and enforcing this. They would not yet be subject to an NOYB-style complaint about transfers as there is no business or organisation exporting information to China.

GDPR compliance

Beyond transfers, on the subject of general data protection compliance, in theory DeepSeek should be complying with the GDPR when it is processing personal data received from Europe, even though this is sent for household and personal use, as confirmed in Recital 18. Compliance would include appointing an EU (or UK equivalent) representative, if it is undertaking targeted sales or monitoring activity. The recent NOYB action may put them off doing this, as this provides the trigger and target for transfers enforcement.

US federal laws on data transfer

For US users, information divulged by or collected from them includes material which it would be unlawful to transfer to China under the US "countries of concern" DoJ Rule, which covers for example the combined IP address and email address of more than 100,000 people. But the DoJ rules aren't aimed at individual voluntary transfers by US citizens, which is effectively what is happening here. The controversial law which effectively banned TikTok in the US, and which is in a state of suspended animation under the new administration, wouldn't seem to be in play either, since it only applies to sites which host user-generated content.

As well as concerns about transfers to China, and any accompanying use of data for training more AI systems, there may be more general security concerns. These will only increase after the company paused registrations for new users after reporting "large scale malicious attacks".

For UK and EU businesses

So where does that leave businesses in Europe?

Possible concerns for corporates, including law firms, would be formal adoption of the DeepSeek app by UK or EU companies which would bring transfers within data protection law, and require risk assessment and safeguards. In addition, informal use of the app by individual employees for work purposes could come under the GDPR security and transfer rules, explored in this Shoosmiths article.

Where do we go from here?

That just leaves a wider question: should Europe and the US permit a rival AI superpower to harvest valuable information from its citizens without any controls by tempting them in at an individual level with amazing free stuff? Perhaps we should all remember the old adage about free content on the internet: if there's no charge, then we are the product. What we see happening with DeepSeek is something slightly new, and not covered by current data protection rules in Europe, nor by national security data laws in the US.

Trump has called DeepSeek a wake-up call which will stimulate US companies – and no doubt UK ones - to greater and faster innovation. This may be so, but it may also stimulate governments to impose new rules to control information flows where products and services are offered online, and countries may wish to start closing off access where they perceive that national security and development of sovereign AI capability are too valuable to be offering in exchange for new and exciting AI tools.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Alice Wallbank
Alice Wallbank
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More