South Korea: Chinese AI app DeepSeek illegally shared data of 1.5 million Korean users

Chinese generative AI platform DeepSeek passed on personal details of Korean users to firms in China and the United States without obtaining proper consent during its short operation in South Korea, as stated by the country’s data protection authority on Thursday, according to a report from Radio Free Asia (RFA).

DeepSeek’s chatbot application became the most popular download on Apple’s iPhone, even outpacing OpenAI’s ChatGPT. While it gained recognition for its performance, it also raised alarms regarding censorship of sensitive subjects, data privacy issues, and its connections to the Chinese government, leading several nations, including South Korea, to ban the app, as reported by RFA.

Between January 15 and February 15, 2025, during a temporary suspension of its service amid privacy concerns, DeepSeek transferred user data to three companies in China and one in the US, according to the announcement made by the Personal Information Protection Commission (PIPC) cited in the RFA report.

The Chinese service did not seek user consent for these international data transfers nor did it include this practice in its privacy policy. With around 50,000 daily users during its one-month operation, the PIPC estimated that data from about 1.5 million users could have been improperly shared abroad, as mentioned by RFA.

The commission discovered that DeepSeek not only transmitted device, network, and app information but also the content users entered into AI prompts to Volcano, one of the Chinese companies linked to ByteDance, the parent company of TikTok, according to the RFA report.

The investigation also revealed that DeepSeek lacked an “opt-out” feature that would enable users to prevent their input from being utilised in AI training and development. This function was only introduced after the PIPC pointed out its absence, as reported by RFA.

The privacy policy, which was only available in Chinese and English, failed to include necessary details regarding data deletion processes, methods, and security measures required by South Korean privacy regulations, as highlighted by the RFA report.

The PIPC urged DeepSeek to promptly erase the user prompt data sent to Volcano and to make various enhancements, including appointing a local representative in South Korea and improving overall security protocols for handling personal information, as reported by RFA.