The CNPD wishes to raise public awareness of the risks associated with using the DeepSeek R1 (DeepSeek) artificial intelligence tool. Although this generative AI model is freely available on the Internet, it has not been designed for European consumers.
DeepSeek, developed in China by the company of the same name, is made available as open source, including within the European Union via platforms such as Hugging Face. However, its use raises major concerns, particularly as regards the collection and processing of data without sufficient guarantees. Data entered by users in ‘prompts’ can be recorded, transferred, stored or analysed without a clear data protection framework.
This also makes it difficult, if not impossible, for data subjects to exercise their rights under the General Data Protection Regulation (GDPR). The absence of a DeepSeek representative in the European Union creates legal uncertainty for users in Luxembourg and the EU. This results in a lack of clear guarantees regarding compliance with the RGPD, a lack of transparency regarding the governance of this AI, as well as the potential involvement of state or third-party actors in data management, amplifying the risks of violation of personal data and the fundamental right to privacy.
Furthermore, the fact that DeepSeek or its data controller is not established in the territory of the European Union and has not appointed a legal representative in the European Union means that cooperation with the CNPD and other European data protection authorities is uncertain making any regulation or recourse in the event of abuse particularly complex. Unlike companies established on EU territory or having established a representative there, which must comply with the GDPR, the absence of a DeepSeek representative in Europe makes it difficult, if not impossible, for citizens to exercise their rights (access, rectification, deletion of data).
In order to limit the risks associated with the use of DeepSeek, the CNPD makes several recommendations:
- Avoid installing the DeepSeek model and its configuration files in any IT environment, in order to limit exposure to the risks of data leakage or misuse.
- When using the online interface, never enter personal or confidential data, as this could be used without adequate safeguards.
- Actively raise awareness among employees (professional sphere) and Internet users (personal sphere) of the risks associated with the use of AI.
- Favour AI tools that comply with the European regulatory framework (RGPD, AI Act), respect data protection principles and offer clear guarantees in terms of security and respect for privacy.
The CNPD remains vigilant with regards to the development of artificial intelligence and is working to put in place appropriate regulatory frameworks to protect Luxembourg and European citizens against the risks associated with these new technologies.