The Berlin Commissioner for Data Protection has reported the AI app DeepSeek to Apple and Google for breaching European data protection laws.
The watchdog says the app illegally transfers personal data from German users to servers in China, without the safeguards required under the GDPR.
At the heart of the issue is DeepSeek, a multifunctional chatbot developed by Hangzhou DeepSeek Artificial Intelligence, based in Beijing. The company operates the service via German-language apps available on both the Google Play Store and Apple App Store. For all its penetration of the European market, DeepSeek does not have an EU physical presence.
The app collects and processes a wide range of user data: messages, chat history, files transmitted, location, device info, and network metadata. According to the Berlin authority, the data is transmitted to China and stored on servers there, without the protections demanded under EU law.
“The transfer of user data by DeepSeek to China is unlawful,” said Meike Kamp, Berlin’s Commissioner for Data Protection and Freedom of Information. “DeepSeek has not been able to convincingly prove to my authority that data from German users is protected at a level equivalent to that of the European Union.”
European privacy rules don’t allow the transfer of personal data to countries that lack comparable legal protections unless there are so-called “adequate safeguards.” China does not have an adequacy agreement with the EU. And according to Kamp, the access that Chinese authorities can demand from companies in their jurisdiction makes the risk clear.
“Chinese authorities have extensive access rights to personal data within the sphere of influence of Chinese companies,” she noted. “DeepSeek users in China do not have enforceable rights and effective remedies guaranteed in the EU.”
On 6 May 2025, the Berlin authority formally requested that the company remove its apps from the German app stores and either stop transferring data or meet the legal requirements for doing so. DeepSeek did not comply.
Now, under Article 16 of the Digital Services Act, Berlin has turned to the platforms. On 27 June 2025, it submitted formal reports to Apple Distribution International Ltd. and Google Ireland requesting they investigate the matter and decide whether the app should be blocked in Germany.
The action follows initial coordination with the data protection regulators of other German states, including Baden-Württemberg, Rhineland-Palatinate, and Bremen, as well as the Federal Network Agency charged with implementing the DSA.
Both Apple and Google are required to respond promptly. If they confirm the violation, they could remove the app from their respective stores in Germany.
This isn’t the first time DeepSeek has been in the hot seat. In March this year, researchers from Tenable discovered how the tool can be exploited to generate malware, such as keyloggers and ransomware, despite its initial claims that it did not engage in harmful activities.
In the same month, AppSOC called DeepSeek a high-risk model that is not suitable for use in enterprises, recommending that it should not be used for “any AI applications, especially those involving personal information, sensitive data or IP.”
For now, DeepSeek remains available. But its days in German app stores may be numbered.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.