Dutch Privacy Authority Scrutinizes DeepSeek's Data Practices
Netherlands, Monday, 3 February 2025.
The Dutch privacy authority, AP, is investigating Chinese AI company DeepSeek over concerns about how they collect and handle personal data, reflecting broader EU privacy worries.
Investigation Launch and Immediate Concerns
The Dutch privacy watchdog (AP) initiated its investigation on January 31, 2025 [1], with AP chairman Aleid Wolfsen expressing serious concerns about DeepSeek’s privacy policies and data handling practices [2][3]. The investigation focuses particularly on how personal data is transferred to China, as such transfers are only permitted under strict EU regulations [2]. Of specific concern is that users’ personal information, including uploaded documents like CVs and chat interactions, may be stored on Chinese servers without adequate privacy protections [2].
European Regulatory Response
This investigation is part of a broader European regulatory response to DeepSeek’s practices. Italy has already taken decisive action by blocking DeepSeek’s app in January 2025 [1], while Ireland and France are actively seeking information about the company’s data processing methods [1]. The Dutch authorities are working in close coordination with other EU privacy regulators to share information and determine appropriate next steps [2][3].
DeepSeek’s Market Impact
DeepSeek has gained significant attention for developing its AI capabilities at remarkably lower costs compared to its competitors. The company reportedly spent only $5.6 million on its flagship v3 model [7], in stark contrast to the billions invested by U.S. competitors [7]. The company’s efficiency has attracted users, with its AI assistant becoming the most downloaded free app on Apple’s App Store by January 27, 2025 [7].
Legal Implications for Users
The AP has issued a specific warning to Dutch users about potential legal consequences. Users who upload information about third parties to DeepSeek’s chatbot might unknowingly violate privacy laws if they haven’t obtained proper consent [2][3]. This is particularly concerning as the system ‘thrives on the information provided,’ according to Wolfsen [2], potentially creating a repository of unauthorized personal data transfers to servers outside the EU.