DeepSeek and the Global Data Battle: A Zero Sum Game?

By Lorenzo Mendoza

Data was once said to be the new oil, but this statement underestimates what data truly means in the digital revolution we are experiencing today. Unlike oil, which can only be extracted and used once before turning into waste, data can be utilized thousands of times by different parties simultaneously, without losing its power or value. Is data the new oil? Certainly, it is more precious than oil, and all IT enterprises know it, including DeepSeek.

On January 20, 2025, China surprised the world by launching its new AI Large Language Model (LLM), DeepSeek R11. The release coincided with Donald Trump’s inauguration as President of the United States. This model emerged as a competitor in terms of:

• Math ability: Able to grasp new math concepts and solve abstract problems.

• Coding skills: faster code generation and a modular style.

• Efficiency: Operate at about 5% of the cost of traditional models.

• Competitive performance: Tests showed that DeepSeek R1 matched top AI models like Gemini 2.0 and OpenAI O-1 in language understanding and generation.2

  The sudden rise of DeepSeek R1 was undeniable, reaching 22.15 million daily active users worldwide after its release3 and collecting vast amounts of personal data in the process. This massive data collection raised alarms in Europe, particularly catching the attention of the Italian Data Protection Authority (DPA), which questioned DeepSeek’s data processing practices under the General Data Protection Regulation (GDPR) framework.

  The Italian DPA was the first supervisory authority to order a restriction on the processing of Italian users' data against Beijing DeepSeek Artificial Intelligence, giving the company 20 days to provide details on how its AI chatbot complies with European data protection regulations4.

  As soon as DeepSeek was notified of the Italian authority's decision, the company attempted to sidestep any liability under the GDPR, arguing that it "does not operate in Italy" and that "European

  er, this argument is flawed under Article 3(2) of the GDPR, which establishes the regulation's extraterritorial scope:

Article 3(2): Extends the GDPR to organizations outside the EU if they: (a) Offer goods or services to individuals in the EU, even if free of charge. (b) Monitor the behavior of individuals in the EU (e.g., tracking interactions, profiling).

In this context, even if companies are established outside the EU, if they process data from European citizens, it is imperative that they comply with the GDPR. However, the challenge of Article 3(2) does not lie in its clarity but rather in its enforcement. Enforcing the law becomes more difficult when an enterprise like DeepSeek has no physical presence in Europe. This means that data protection authorities have less control over supervising companies' implementation of appropriate technical and organizational measures to demonstrate that data processing is carried out in accordance with the GDPR (Article 24). Since in-person office visits are impossible, ensuring compliance becomes significantly more challenging.

Despite this, on one hand, the Italian Data Protection Authority remains responsible for ensuring that all GDPR principles and rights are upheld by DeepSeek as the data controller. On the other hand, due to the extraterritorial scope established in Article 3(2), DeepSeek is liable for any infringement of European data protection regulations and is bound by all legal requirements to provide its service within Italian territory.

For instance, the DPA main request revolves around the principle of transparency under the GDPR (Article 12). This principle requires that any information addressed to the public or to data subjects be concise, easily accessible, and easy to understand.

In this regard, DeepSeek should address the following questions to determine whether it has complied with the GDPR:

• What types of personal data were collected from users?

• From what sources did such data come (for example, whether it was extracted directly from users' social profiles or collected through web scraping activities)?

• For what purposes were the data processed, and on what legal basis?

• Were the data stored on servers located in China, with the consequent risk of exposure to less guaranteed regulations than the GDPR?

• If and how registered and non-registered users were informed regarding the processing of their personal data?6

More than a month has passed since the Italian DPA communicated with Beijing, yet no updates have been provided. The last news came from The Wiz Research, which revealed a leak of one million sensitive records from DeepSeek. This raises further doubts about how the company processes and protects the personal data and privacy of its users7.

From a geopolitical perspective, DeepSeek's overwhelming global success can be considered a zero-sum game: a win for China and a loss for the West. The Great Firewall of China has blocked access to selected foreign websites and slowed down cross-border internet traffic, prohibiting apps such as Google, ChatGPT, YouTube, Facebook, and Instagram. This means that companies outside China cannot process the personal data of Chinese citizens. Meanwhile, China, through DeepSeek, has managed to become a major player in the AI market—without transparent compliance with supranational regulations such as the GDPR—while continuously harvesting vast amounts of data from citizens beyond its borders.

The case of DeepSeek illustrates a growing challenge in global data governance. At least in the Deepseek case, corporations operating from jurisdictions with distinct legal frameworks, such as China, may not always comply transparently, even while European regulators are willing to enforce data privacy regulations outside of their borders. This can lead to an asymmetry in data access; while Western firms face strict restrictions in China, Chinese companies can collect and process foreign data with fewer limitations. The outcome of this dispute will not only shape the future of DeepSeek but could also set a precedent for how AI and data privacy are controlled and regulated on a global scale.