DeepSeek Blocked in Italy Due to Privacy Risks – Setting a Significant Precedent

The Italian Data Protection Authority (Garante per la protezione dei dati personali) has imposed an emergency ban on DeepSeek, an AI chatbot, for failing to meet GDPR transparency and security standards.

The Italian DPA is the supervisory authority responsible for monitoring application of the General Data Protection Regulation (pursuant to Article 51 of Regulation No. 2016/679).

Despite DeepSeek’s claim that it does not operate in Italy, the DPA’s investigation found significant data collection from Italian users. The inquiry sought details on data sources, processing purposes, storage locations and compliance with GDPR, but DeepSeek’s response was insufficient and evasive. This led to the immediate restriction of its data processing activities in Italy. 

"With great power comes great responsibility,” said Lee Kim, Senior Principal, Cybersecurity and Privacy at HIMSS “All organizations must safely and responsibly handle, disclose and use personal data with rigor. Italy’s decisive action serves as a strong reminder that AI must be designed and deployed responsibly. Healthcare information, in particular, must be safely and securely exchanged to protect patient privacy and security. We need safe, reliable, and trustworthy data to provide the best possible care for patients."

The Italian DPA described DeepSeek as a serious privacy risk due to its lack of transparency, failure to cooperate with authorities, and potential exposure of user data. Investigators raised alarms about how personal data was being collected, where it was stored, and whether Italian users were properly informed. 

The decision to block DeepSeek is not just about Italy — it signals a growing international concern over AI-driven data collection and security. DeepSeek is not alone; other AI platforms developed outside the EU may face similar scrutiny if they fail to comply with GDPR and European data protection standards. 

This is the first case of its kind (the Italian DPA’s action is the first emergency ban on an AI chatbot under GDPR, marking a preemptive move against privacy risks before a confirmed data breach, setting a new precedent for AI regulation and enforcement), highlighting the challenges of regulating international AI platforms that operate beyond European legal frameworks.

It also underscores the differences between the EU’s GDPR and China’s PIPL (Personal Information Protection Law) — particularly regarding data sovereignty, state oversight and user privacy protections. 

• GDPR (EU): Ensures transparency, user control and high security standards
• PIPL (China): Introduced in 2021, it regulates personal data but remains subordinate to state interests and national security concerns

A key concern is the cross-border transfer of personal data. GDPR prohibits the transfer of EU citizens’ data to countries that lack adequate privacy protections, and China is not considered a country with sufficient safeguards. 

The DeepSeek case has broader implications for AI governance, especially in industries handling sensitive personal data like healthcare. AI’s ability to process vast amounts of data presents both opportunities and risks, making accountability and transparency non-negotiable.

Italy’s decisive action serves as a warning to AI developers worldwide: non-compliance with strict data privacy laws will have consequences. Regulators around the world are now looking to take a closer look at AI-driven data collection and processing.