South Korea’s data protection authority has determined that Chinese AI startup DeepSeek collected and transferred personal information from local users without proper consent, marking another setback for the company’s international expansion.
The Personal Information Protection Commission (PIPC) released its findings Thursday after a months-long privacy and security review of the AI company. This investigation follows DeepSeek’s removal from South Korean app stores in February at the PIPC’s recommendation.
According to the watchdog, during DeepSeek’s operation in South Korea, the company transferred user data to several firms in China and the United States without obtaining the necessary permissions or informing users about these practices.
“DeepSeek failed to secure proper consent from users before transferring their personal information overseas,” a PIPC spokesperson said. “This represents a clear violation of South Korean privacy laws.”
Data Transfer to Chinese Cloud Platform
The investigation specifically highlighted DeepSeek’s transfer of sensitive information to Beijing Volcano Engine Technology Co., a Chinese cloud service platform. The transferred data included content from user-written AI prompts along with device, network, and app information.
While the PIPC initially described Beijing Volcano Engine Technology as “an affiliate” of ByteDance (TikTok’s parent company), the watchdog later clarified that the cloud platform “is a separate legal entity and has no relation to ByteDance.”
In its defense, DeepSeek claimed it used Beijing Volcano Engine Technology’s services to enhance app security and user experience. The company reportedly blocked the transfer of AI prompt information starting April 10, but this came after months of unauthorized data sharing.
Rising Star Faces Growing Scrutiny
The Hangzhou-based AI startup gained international attention in January with the release of its R1 reasoning model, which reportedly rivals Western competitors despite being developed with fewer resources and less advanced hardware.
However, DeepSeek’s rapid rise has triggered national security and data privacy concerns globally. Technology experts have identified potential data vulnerabilities in the app and raised questions about the company’s privacy policies.
Of particular concern to international observers is China’s requirement that domestic companies share data with the government when requested—a policy that has led to increased scrutiny of Chinese tech firms operating in foreign markets.
Government Bans Spreading
The investigation comes amid reports that several South Korean government agencies had already banned employees from using DeepSeek on work devices. Similar restrictions have reportedly been implemented by government departments in Taiwan, Australia, and the United States.
“Government agencies are increasingly cautious about AI tools developed by companies subject to different data governance standards,” explained a cybersecurity analyst who requested anonymity. “The concern isn’t just about individual privacy but potential national security implications.”
Path to Compliance
The PIPC has issued a “corrective recommendation” to DeepSeek, which includes directives to:
- Immediately destroy all AI prompt information transferred to the Chinese company
- Establish proper legal protocols for transferring personal information across borders
- Implement updates to comply with local data protection policies
When the data protection authority initially announced DeepSeek’s removal from South Korean app stores, it indicated the app could return once the company implemented necessary compliance measures.
Representatives from DeepSeek and ByteDance did not immediately respond to requests for comment on the PIPC’s findings.
This case highlights the growing tension between rapid AI development and data privacy concerns, particularly when technology crosses international borders with varying regulatory standards. As AI companies continue global expansion, they increasingly face the challenge of navigating complex and sometimes conflicting privacy regulations across different jurisdictions.
For users of AI tools, the case serves as a reminder to review privacy policies and understand how their data might be used or transferred—especially when using services developed under different regulatory frameworks.
