Italy’s Data Protection Authority, known as the Garante, has banned DeepSeek AI, an artificial intelligence chatbot developed by the Chinese firms Hangzhou DeepSeek Artificial Intelligence and Beijing DeepSeek Artificial Intelligence. Officials cited concerns about how the company collects, stores, and processes personal data belonging to Italian users.
DeepSeek’s parent companies claim that they are not subject to European Union privacy laws because they do not operate within the EU. The Garante rejected this claim, stating that the company’s practices still involve processing data from European citizens, which means they must comply with the General Data Protection Regulation (GDPR).
Following the ban, DeepSeek AI is no longer available on Italian app stores. Users who had already downloaded the app, however, reported that it was still functional. The chatbot’s web-based version remains accessible, and some users may attempt to bypass restrictions by using virtual private networks (VPNs).
Why the Ban Happened
The Garante asked DeepSeek for details about what personal data it collects, how it is used, and whether it is stored in China. The company’s response was dismissed as inadequate. Authorities viewed its refusal to acknowledge EU privacy laws as a serious issue, prompting immediate action.
Italy has enforced similar measures in the past. In 2023, the Garante temporarily blocked OpenAI’s ChatGPT after identifying privacy violations. OpenAI was later allowed to reinstate its service in Italy after making changes to comply with GDPR.
The investigation into DeepSeek remains open. Italian regulators have given the company 20 days to provide more details about its data practices. If it does not cooperate, the ban could become permanent.
Other EU Countries Are Investigating
Italy’s decision has drawn attention from privacy regulators across the EU. Authorities in Ireland and Belgium have launched their own investigations into how DeepSeek handles user data. The French data protection agency, CNIL, has also stated that it is looking into the matter.
Regulators in Spain and Portugal are monitoring developments and could take similar steps if they identify violations. Since DeepSeek is not legally based in any EU country, each member state has the right to conduct its own investigation.
GDPR requires companies handling data from EU citizens to meet strict transparency and security standards. This applies even if the company operates from outside Europe. If DeepSeek is found to be violating these laws, more countries could follow Italy’s lead and restrict access to the chatbot.
How DeepSeek Has Responded
DeepSeek has not issued a detailed public statement about the ban. It did confirm that it removed the app from Italian stores but maintains that it is not subject to European data laws. This position is unlikely to satisfy regulators, especially as concerns grow over how AI companies store and use user information.
One of the main concerns with AI-driven platforms is the possibility of large-scale data collection without clear consent. If interactions with the chatbot are stored and analyzed, companies can build extensive databases of user data. Without proper oversight, this raises concerns about privacy and security. In January 2025, security researchers discovered that DeepSeek had left a critical database exposed, revealing over one million records, including user data and API keys. This further shows how vital it is to implement deeply strong data protection measures for AI platforms.
The ban also highlights the challenges European regulators face in enforcing data protection laws against companies based outside the EU. As AI development accelerates, regulators will need stronger tools to ensure that companies follow privacy rules when offering services in Europe.
What This Means for Users and AI Developers
For Italian users, the ban means that they can no longer download DeepSeek from official app stores. Those who had already installed it may still be able to use the app, at least for now. The chatbot’s web-based version remains operational, meaning some users may try to get around the restrictions with VPNs.
For AI companies, the situation serves as a reminder of the difficulties involved in entering the European market. Unlike in other regions, where AI companies often have more freedom, European regulators expect strict compliance with privacy laws. Companies that do not meet these requirements could face similar restrictions.
As more AI firms emerge, governments and regulators will continue grappling with how to balance technological development with data protection. The DeepSeek case could set a precedent for how Europe handles foreign AI models that do not adhere to GDPR rules.
A Broader Look at DeepSeek’s Data Practices
The Garante’s decision to block DeepSeek AI is not just about legal jurisdiction. The regulator has raised concerns about how the company gathers and processes data from European users. One of the key issues is where this data is stored and whether it is being used to train AI models. Without clear policies on these points, authorities worry that user data could be at risk.
DeepSeek’s refusal to provide detailed responses about its data collection practices has only increased suspicion. If the company is gathering data from European users without following GDPR rules, it could face further action beyond Italy. Other EU regulators are likely watching closely to see if additional steps need to be taken.
In past cases involving AI chatbots, regulators have demanded more transparency about how personal data is handled. For example, OpenAI was required to update its privacy policies and give users clearer options to control how their data was used. It remains to be seen whether DeepSeek will take similar steps or continue to resist European oversight.
The Risk of AI Models Operating Outside European Jurisdiction
DeepSeek’s argument that it does not operate within the EU may not hold up in the long run. European regulators have made it clear that any company processing data from EU citizens must comply with GDPR, regardless of where it is based. If DeepSeek continues to challenge this, it may find itself facing bans in more countries.
There is also the issue of enforcement. Unlike companies that have offices in the EU, DeepSeek does not have a legal presence in any member state. This makes it harder for regulators to take direct action beyond blocking access. However, GDPR allows for fines and penalties against companies that violate its rules, even if they are based outside the EU.
This situation is becoming more common as AI companies based in China, the United States, and other non-EU countries expand their services to European users. Without stronger international agreements on data protection, conflicts like this will likely continue.
What This Means for AI Regulation in Europe
The DeepSeek ban reflects a broader trend in Europe. Regulators are becoming more aggressive in enforcing privacy laws, especially when it comes to AI-driven services. GDPR has been in place since 2018, but many AI companies are still struggling to meet its requirements.
One of the biggest challenges is explaining how AI models handle user data. Many companies use personal interactions to train and improve their models, but this raises concerns about consent and transparency. Without clear safeguards, there is a risk that user conversations could be stored indefinitely and used in ways that violate privacy rights.
European regulators have also been looking at how AI companies handle user consent. Under GDPR, users must be informed about how their data is being used and given the option to opt out. If an AI service does not provide these choices, it is likely to face scrutiny.
The Role of National Regulators in AI Oversight
Unlike in other parts of the world, AI regulation in Europe is handled by national data protection authorities rather than a single centralized body. Each country has its own regulator, and they have the power to investigate companies operating within their borders.
Italy’s Garante has been one of the most active regulators in this space. Its previous action against ChatGPT showed that it is willing to take strong measures against AI companies that do not follow European privacy rules. Other regulators, such as Ireland’s Data Protection Commission and France’s CNIL, have also been involved in AI investigations.
This decentralized approach means that AI companies must deal with multiple regulators instead of a single authority. In DeepSeek’s case, this could mean facing separate investigations in different EU countries, each with its own requirements.
How AI Developers Can Avoid Similar Bans
The DeepSeek case highlights the need for AI companies to take European privacy laws seriously. There are a few steps companies can take to avoid similar issues in the future:
- Transparency: AI firms must clearly explain how they collect, store, and process user data. Vague or incomplete privacy policies are likely to raise concerns.
- Data Storage: Companies should be upfront about where user data is stored and whether it is being used to train AI models. If data is being transferred outside the EU, it must meet GDPR’s strict requirements.
- User Control: AI services should give users clear options to manage their data, including the ability to opt out of data collection and request that their information be deleted.
- Legal Compliance: Even if a company is not based in Europe, it must follow EU laws if it processes data from European users. Ignoring this could lead to bans or financial penalties.
By taking these steps, AI developers can reduce the risk of regulatory action and build trust with users.
What Happens Next for DeepSeek?
For now, DeepSeek remains banned in Italy, and the company has 20 days to provide additional information to the Garante. If its response is not satisfactory, the ban could become permanent.
Meanwhile, other EU regulators are continuing to investigate. If they find that DeepSeek has violated GDPR, it could face further restrictions across Europe. This would make it much harder for the company to gain a foothold in the region.
DeepSeek’s response will determine its future in the European market. If it chooses to cooperate with regulators, it may be able to regain access. However, if it continues to resist, it could face wider consequences.
The Bigger Picture: AI and Privacy in the EU
This case is part of a larger debate about how AI should be regulated in Europe. Governments are still figuring out how to balance innovation with privacy concerns. While AI has many benefits, it also raises serious questions about data security and user rights.
Europe has been at the forefront of digital privacy laws, and its approach to AI regulation is likely to influence other regions. Companies that want to operate in the EU must be prepared to follow strict rules, even if they are based elsewhere.
DeepSeek’s case could set an important precedent. If European regulators take a hard stance, other AI companies may be forced to rethink how they handle user data. The outcome of this case will likely shape the future of AI regulation in Europe and beyond.
See Trio in Action: Get Your Free Trial Now!
Conclusion
Italy’s decision to block DeepSeek AI highlights growing concerns over how AI companies handle user data, especially when they operate outside European jurisdiction. The investigation by the Garante, along with ongoing probes in other EU countries, signals that regulators are taking privacy laws seriously.
If DeepSeek wants to regain access to the European market, it will need to comply with GDPR and provide clear answers about its data practices. Otherwise, it risks being shut out of one of the world’s most privacy-conscious regions. As AI continues to expand, companies that fail to address these regulatory challenges may find themselves facing similar restrictions.
