Report from Bloomberg
In Brief – The Data Protection and Privacy Commissioner of Berlin has announced that she asked Apple and Google to remove China-based chatbot DeepSeek from their app stores due to data security concerns and a failure to comply with the EU General Data Protection Regulation (GDPR). Commissioner Meike Kamp is challenging the legality of DeepSeek’s storage and handling of personal data in China. “Chinese authorities have far-reaching rights to access personal data,” Kamp said. “DeepSeek users don’t have enforceable rights and effective legal remedies available to them in China, like they’re guaranteed in the European Union.” DeepSeek ignored a request from Kamp in May to withdraw its app from Germany or put in place appropriate safeguards. Rather than fine the Chinese AI company, which the regulator said it could not enforce, the commissioner invoked a provision of the EU’s Digital Services Act that requires large digital platforms like Apple and Google to take down illegal content on their platforms.
Context – DeepSeek being based in China is creating data security issues with some governments. The South Korean data protection authority has banned the app. The Italian privacy regulator asked the company to explain its GDPR compliance practices in January and got the answer that it was based in China and was not required to comply with the EU law. So, the regulator directed Apple and Google to block downloads in Italy, a ban that is still in effect. Australia, South Korea, Taiwan, several US Government agencies and US states have blocked the app from the devices of government employees. The issue of whether a country’s privacy laws and data handling procedures meet EU “adequacy” standards under the GDPR has been at the heart of the US-EU legal dispute over “Cross Border Data Flows” that began with the Snowden revelations in 2014 and has involved multiple efforts to agree on acceptable processes for handling EU data in the US in the face of legal challenges by EU privacy activists, most recently the 2024 EU-US Data Privacy Framework. Handling EU data in China is a taller order.