DeepSeek ordered to revise personal data policies, delete mishandled user information

Home > National > Social Affairs

DeepSeek ordered to revise personal data policies, delete mishandled user information

Published: 24 Apr. 2025, 15:30 Updated: 24 Apr. 2025, 15:38

Audio report: written by reporters, read by AI

The DeepSeek app is seen in this image from Jan. 29. [REUTERS/YONHAP]

The Korean government ordered DeepSeek to revise its personal data policies and delete user information it transferred abroad without proper consent, based on the results of its preliminary investigation announced Thursday. This made Korea the first country in the world to publicly disclose investigation results into the Chinese generative AI service.

The Personal Information Protection Commission (PIPC) concluded that DeepSeek had transferred user data collected from users in Korea to four companies based in China and the United States on Thursday.

“While other generative AI models like ChatGPT also transfer data abroad, DeepSeek failed to inform users or obtain permission,” Nam Seok, head of the commission’s investigation divsion, said during a press briefing.

“DeepSeek submitted documentation on overseas transfers during our probe,” Nam added.

A DeepSeek AI sign is seen at a building where the Chinese start-up's office is located in Beijing, China, in this photo taken on Feb. 19, 2025. [REUTERS/YONHAP]

Among the more contentious findings was that user prompts — the text commands inputted into the AI — were sent to Beijing Volcano Engine Technology, a cloud services provider affiliated with ByteDance, the parent company of TikTok.

In response, DeepSeek claimed that Volcengine operates as a separate legal entity from ByteDance and that data transfers were necessary for service improvements, including user interface (UI), user experience (UX) and security measures.

However, the PIPC pointed out that there was no need to transfer entire user prompts for such purposes. Following the commission’s intervention, DeepSeek stopped transferring this data as of April 10.

Lack of user consent, transparency

DeepSeek reportedly used user input data for AI development and training purposes, much like other AI companies. However, unlike its peers, DeepSeek failed to offer users the option to opt out, according to the commission. The company also did not sufficiently explain this data usage in its terms of service or privacy policy.

After the PIPC raised these concerns, DeepSeek introduced an opt-out function on March 17. The company also agreed to comply with Korea’s “enhanced protection measures” — guidelines issued by the Korea Internet & Security Agency in March 2024. These require companies to delete pages that expose personal information such as resident registration numbers, phone numbers, or bank account details, and to clearly disclose how user data is processed during AI learning.

Nam Seok, director general of the Investigation and Mediation Bureau at the Personal Information Protection Commission, announces the results of a preliminary inspection into Deepseek during a briefing at Government Complex Seoul in Jongno District, central Seoul, on April 24. [YONHAP]

Inadequate local compliance, failure to protect minors

DeepSeek also fell short of complying with Korean data protection law when it launched in the country on Jan. 15 last year. Its privacy policy was available only in Chinese and English, omitting key elements required under local law — such as the procedures for destroying personal information, safety measures and contact details of the company’s data protection officer.

After being urged to revise its practices, DeepSeek submitted an updated privacy policy on March 28. It pledged to release a Korean-language version and include relevant jurisdiction clauses when the service relaunches.

DeepSeek also faced backlash for stating in its policy that it collects detailed behavioral data, such as users’ keyboard input patterns and rhythms. The company later clarified that it had never actually gathered this information from any country and included the clause prematurely while still designing the service. It has since removed the reference from its policy.

The PIPC also noted that DeepSeek lacked safeguards for handling the personal data of users under 14. The company has since added age verification mechanisms and addressed several cybersecurity vulnerabilities that were previously criticized by foreign media reports.

Notices indicate that the DeeSeek app is unavailable for downloads or use as of April 17. [PERSONAL INFORMATION PROTECTION COMMISSION]

Government issues mandatory and advisory orders

Based on its findings, the PIPC issued a corrective recommendation to DeepSeek. The order requires DeepSeek to secure legal grounds for overseas data transfers, delete previously transferred prompts, and ensure transparency by publishing a Korean-language privacy policy.

The commission also issued advisory recommendations including following enhanced protection measures, deleting data collected from minors, improving overall data security systems and designating a proper local representative.

Corrective recommendations are not legally binding but are strong advisories issued in response to regulatory violations. If DeepSeek accepts the recommendation within 10 days, it will be treated as having complied with a legally enforceable correction order under the Personal Information Protection Act. The company must then report on its implementation progress within 60 days.

“We believe that if DeepSeek follows through on these measures, its practices will meet the standards set by Korean law,” Nam said. “We will monitor its progress through at least two follow-up reviews,” he added.

Translated from the JoongAng Ilbo using generative AI and edited by Korea JoongAng Daily staff.
BY MOON HEE-CHUL [[email protected]]