What is DeepSeek, why is it such a big deal, and is it safe to use?

What is DeepSeek, why is it such a big deal, and is it safe to use? 

The Chinese AI firm DeepSeek has released a highly impressive generative AI model that rivals the best of its Western competitors. But the company faces investigations in multiple European countries and concerns over how it collects and uses personal data. 

What is DeepSeek?

DeepSeek is a generative AI chatbot based on the Large Language Model (LLM) DeepSeek-R1. The app’s functionality—and capabilities—are similar to OpenAI’s ChatGPT. 

Unlike ChatGTP, DeepSeek is “open source”, to the extent that the company publishes the code underpinning its algorithms, and its training methods (but not the training data itself). As such, it’s possible to modify the code and run a local version of DeepSeek on a sufficiently powerful computer. 

DeepSeek performs well against all published benchmarks compared to its competitors, which, along with ChatGPT, include other LLMs such as Anthropic’s Claude, Meta’s Llama, and Google Gemini. 

What’s the big deal?

DeepSeek made headlines because its R1 model was reportedly developed for just $6 million—much less than the company’s main rival, OpenAI’s GPT-4 (which cost around $100 million to develop). 

Generative AI developers typically build their models using Graphic Processing Units (GPUs) like Nvidia’s H800 chips. While OpenAI reportedly used around 16,000 such chips to train GPT-4, DeepSeek says it developed its R1 model with just 2,000 chips. 

DeepSeek’s more efficient training methods reportedly rely on a version of the so-called “mixture of experts” approach, which activates the specific resources required to fulfil a given task. This approach reduces the amount of resources active at a given time. 

Tech companies have invested billions in generative AI. By building a powerful AI model using relatively little hardware and making its model open-source, some observers attribute DeepSeek with wiping $1 trillion off of major tech companies’ market values—including a 17% hit to Nvidia’s stock price. 

Is DeepSeek safe to use?

DeepSeek is a Chinese company, so some observers have raised concerns about: 

• What happens to data collected by DeepSeek, and 
• Censorship DeepSeek’s outputs 

So let’s look at whether DeepSeek like complies with EU and UK data protection law, the General Data Protection Regulation (GDPR). 

What data does DeepSeek collect?

DeepSeek’s Privacy Policy sets out the types of data DeepSeek collects about its users and website visitors. 

Many of the types of data DeepSeek collects are quite common for Software as a Service (SaaS) AI applications, including technical information such as the user’s IP address, account information such as the user’s email address, and inputs into the chatbot’s user-interface (“prompts”). 

However, the Privacy Policy also discloses that DeepSeek may create an ID enabling each user to be identified across different devices and also collect their “keystroke patterns or rhythms”. 

If analyzed in sufficient detail, a person’s keystroke patterns or rhythms are unique—we all type in different ways, with different habits and quirks. As such, this information can be used as “biometric data”—a unique identifier based on a person’s immutable behavioral or physical characteristics. 

It’s not clear why DeepSeek would collect people’s keystroke patterns or rhythms, and the GDPR sets a high bar for any processing of biometric information. 

Where does DeepSeek store data?

DeepSeek’s Privacy Policy notes that the company stores the data it collects in “secure servers located in the People’s Republic of China”. 

The GDPR sets strict rules about “international data transfers”. Generally, organizations may only transfer personal data outside of the European Economic Area (EEA) or the UK if they can guarantee that the GDPR’s data protection standards will not be undermined. 

China is not considered an “adequate” country by the European Commission, so transferring personal data to China would require special safeguards. It’s not clear whether DeepSeek has implemented such safeguards—or whether any safeguards would be strong enough to comply with EU law. 

However, an international data transfer involves two parties—one organization subject to the GDPR (the “exporter”) who transfers personal data to another organization outside the EEA or UK.  

Because DeepSeek collects personal data directly from its users, the international data transfer rules arguably do not apply to the initial collection of personal data from its users. 

But—once data reaches DeepSeek’s servers in China, the company would need to comply with the GDPR’s international data transfer rules before it disclosed personal data to another organization within China. 

DeepSeek’s Privacy Policy states that other organizations may process personal data collected by DeepSeek, including other entities in the company’s corporate group. Chinese law also means that government authorities may access data stored on DeepSeek’s servers. 

If DeepSeek facilitated access to another Chinese entity’s access to users’ data, the GDPR’s data transfer rules would apply, and it’s not clear how DeepSeek would comply with them. 

GDPR investigations into DeepSeek

Since DeepSeek’s R1 model made headlines in late January, the company has attracted the attention of several EU Data Protection Authorities (DPAs): 

• The Italian DPA received a GDPR complaint about DeepSeek and has ordered the company to temporarily stop processing personal data about people in Italy while it investigates. 
• The Belgian DPA has also received a complaint about DeepSeek and launched a formal investigation. 
• The Irish DPA has written to DeepSeek to request details on its data processing activities. 
• The Portuguese DPA has also reportedly received a complaint about DeepSeek. 

While no court or regulator has found any GDPR violations on DeepSeek’s part, there are widespread concerns about how the company collects and stores personal data. DeepSeek maintains that it complies with data protection law—to the extent the EU law applies to the company at all. 

As noted, DeepSeek’s R1 is open source. As such, it’s possible to run the model locally—without any connection to DeepSeek’s servers. This method would allow users to experiment with the model in a more secure and private environment. 

However, the uncertainty around DeepSeek’s privacy practices means many companies will avoid using a generative AI model subject to Chinese law—at least until European regulators have concluded their investigations.