PIPC Calls for Changes to DeepSeek’s Privacy Practices

Key Takeaways

• Privacy Policy Transparency: DeepSeek updated its privacy policy to meet South Korea’s PIPA requirements, including clearer details on data processing, retention, destruction procedures, and safeguards.
• Cross-Border Data Transfer: The company revised its practices to ensure proper consent for data transfers to China and the U.S. and stopped sending user input data to Volcano’s servers.
• AI Model Training: DeepSeek introduced an opt-out feature for users to prevent their data from being used in AI training, following feedback from the PIPC.
• Children’s Data Safeguards: After the PIPC flagged gaps, DeepSeek implemented age verification procedures to better protect children’s personal data.
• PIPC Recommendations: DeepSeek is required to strengthen its legal bases for cross-border data transfer, destroy unnecessary data, and appoint a domestic agent in Korea to comply with PIPA.

Deep Dive

The Personal Information Protection Commission (PIPC) has taken a closer look at Hangzhou DeepSeek Artificial Intelligence (DeepSeek), a company that’s been under scrutiny ever since its R1 Large Language Model (LLM) AI chatbot launched earlier this year. What started as a routine review into the privacy practices of DeepSeek’s services has resulted in a series of recommendations that are shaking up how the company handles user data and cross-border transfers.

When DeepSeek rolled out its chatbot service in January 2025, there was a lot of buzz. But behind the excitement, privacy concerns quickly began to surface. The company's privacy policy was found wanting, available only in English and Chinese, and offering scant details about how it was handling sensitive user data. According to the PIPC, it wasn’t transparent enough, missing key details such as how user data was destroyed, the safeguards it had in place, and even basic contact information for its Chief Privacy Officer (CPO).

So, what did DeepSeek do? They quickly got to work. By March 28, 2025, they’d updated their privacy policy, providing a Korean version that met the necessary legal requirements. They added explanations for data retention, processing methods, and the destruction procedures. In short, they took a step back, recognized where they were falling short, and began making the fixes.

The Cross-Border Data Dilemma

One of the bigger concerns raised during the PIPC's review was how DeepSeek handled the transfer of user data across borders. They had been sending personal data to servers in China and the U.S. without obtaining separate consent from users. But it doesn’t stop there, some of this data was being sent to Beijing Volcano Engine Technology Co., Ltd. (Volcano), which is closely tied to ByteDance.

DeepSeek initially failed to disclose this cross-border transfer in their privacy policy, a significant oversight. The company quickly took action, revising their policy to comply with the legal requirements for such transfers. They also stopped sending user input data to Volcano's servers, acknowledging that the transfer of this data wasn’t necessary for service improvements. It’s a step in the right direction, but one that highlights the challenges companies face when trying to juggle data privacy concerns while improving their services.

AI Training and User Consent

Another aspect of the review that raised red flags was how DeepSeek used user-entered data. Much like other AI providers, DeepSeek had been using this data to train their AI models. But they didn’t provide users with a clear opt-out option, nor did they inform users about how their data was being used in training. This lack of transparency didn’t sit well with the PIPC.

In response, DeepSeek added an opt-out feature starting March 17, 2025, allowing users to choose whether their data is used for AI development. It’s a good move, but it also speaks to the ongoing challenge of balancing innovation with user rights in the fast-evolving world of AI.

Safeguarding Children’s Data

DeepSeek also found itself on the hook for not properly safeguarding children’s data. While the company stated it didn’t collect personal data from children under 14, it didn’t have an age verification process in place. After being alerted to this issue, DeepSeek implemented the necessary procedures during the PIPC's examination. It’s a clear example of the company reacting swiftly to address potential gaps in their security and privacy practices.

The PIPC has issued a set of recommendations that aim to ensure DeepSeek complies with the Personal Information Protection Act (PIPA) and improves its overall data practices. Here’s what’s on the table:

Corrections:

• Strengthen the legal basis for cross-border data transfers.
• Destroy user-entered data transferred to Volcano’s servers immediately.
• Disclose the updated privacy policy in Korean.

Improvements:

• Enhance safeguards to protect user data, especially when training AI models.
• Implement stronger measures to prevent children’s data from being collected.
• Improve overall safety and security of data processing systems.
• Appoint a domestic agent in Korea to ensure ongoing compliance with PIPA.

DeepSeek’s response to these findings has been largely positive, but they still have a long road ahead to fully comply with the PIPC's recommendations. They have 10 days to officially accept these corrections, and once they do, they’ll have 60 days to report back with progress. The PIPC will continue monitoring their compliance over the next few months.

It’s not just about DeepSeek, though. The PIPC’s review also serves as a reminder to other foreign businesses operating in South Korea to ensure they’re properly adhering to the country’s privacy laws. To make it easier, the PIPC has rolled out a "Compliance Checklist for Foreign Business Operators," designed to guide companies through the legal requirements they need to meet before launching services in Korea.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.