When DeepSeek was released in January, it caused shockwaves in international stock markets and became the most downloaded app across Apple and Google app stores. The instant success of the application has sparked significant debate — not for its features or capabilities, but for the questions it raises about data sovereignty.
This concern is not limited to DeepSeek, but applies to all similar public generative AI (GenAI) tools — including Open AI’s ChatGPT, Google’s Gemini and Microsoft’s CoPilot. It represents a wake-up call not only to businesses, cybersecurity and privacy professionals but also governments and regulators, in how AI tools are evaluated and deployed.
This post will consider:
- The data sovereignty challenges DeepSeek and similar AI tools present
- The implications of using AI for businesses in regulatory-heavy markets
- Key steps to safeguard sensitive business data while fully leveraging AI tools
Understanding DeepSeek and its data sovereignty controversy
DeepSeek is a powerful GenAI chatbot able to perform similar tasks to ChatGPT and Gemini. However, it was developed and operates at a fraction of the cost of its rivals. DeepSeek is hugely attractive to organizations looking to implement AI tools for operational efficiency, as a cost-effective open-source solution.
However, it comes with a catch, buried in its Terms and Conditions. In using the tool, users consent to having their data processed in the People’s Republic of China. This is a detail that's set off alarm bells for privacy professionals around the world, not least because China’s Data Security Law (DSL) gives its government sweeping access to all data stored in its jurisdiction.
Why data sovereignty matters for AI
Data sovereignty is the idea that a country or region has the right to govern and control the data that is created, collected or stored within its borders.
DeepSeek raises critical concerns for jurisdictions with data privacy laws that place geographical restrictions on data processing, such as the EU General Data Protection Act (GDPR), in direct contradiction to the prevailing Data Security Law applicable to data processed within the People’s Republic of China.
While DeepSeek has ignited the data sovereignty debate, all AI tools introduce sovereignty risks because they process vast user data without stating how or where it is handled. When employees use these tools, they may unknowingly transfer sensitive data to unauthorized geographies and jurisdictions.
Regulatory scrutiny over AI platforms
DeepSeek’s data processing practices haven’t gone unnoticed by US and EU regulators. Italy’s data protection authority, the Garante, has ordered “the limitation on processing of Italian users' data” against the companies that provide the DeepSeek chatbot service.
Elsewhere, Taiwan, Australia and the US state of Texas have banned DeepSeek on government devices. European regulators are investigating the AI chatbot to evaluate its privacy risk. The app has also been removed from Apple and Google app stores.
This regulatory focus isn’t limited to DeepSeek. Platforms such as ChatGPT and Copilot will likely face similar reviews regarding how they process, store, and secure data globally. This moment signifies a turning point in AI governance, as governments aim to prevent technology from outpacing privacy protections.
Key considerations for businesses
There are some key steps businesses need to take when adopting and authorizing the use of AI tools:
- Perform legal compliance checks — verify all applicable legislation, including local and international data privacy laws, and confirm the jurisdiction(s) in which data processing will take place
- Establish acceptance use policies — Create and enforce clear internal policies on the use of AI for work purposes, including authorized AI tools and the devices permitted to access them
- Provide awareness training — Train employees on the risks of sharing company data with unauthorized AI platforms
- Invest in sovereignty-controlled solutions — Prioritize AI platforms that operate either on in-house systems or within geographically controlled cloud environments, and offer organizational control over the location of company data
- Monitor evolving regulations — Keep up to date with local and international regulations governing AI, privacy and data sovereignty
What’s next for AI and data sovereignty
The rapid expansion of AI highlights an undeniable tension between technology and lagging regulation. For data privacy and security professionals, there is a need to balance innovation with a commitment to user privacy and sovereignty.
The controversy surrounding DeepSeek has highlighted this as a pressing issue for regulators and businesses alike — ensuring advanced technology integrates seamlessly with global data sovereignty principles. Business leaders, privacy advocates and governments must work together to build an international framework where innovation and privacy go hand in hand.
To find out how Ground Labs can support your business, arrange a complimentary data workshop or book a call with one of our experts today.