2025年1月30日,意大利數據保護局(Garante)對中國人工智能公司DeepSeek采取了迅速而嚴厲的監管行動,命令其立即在意大利境內封鎖其聊天機器人服務。此次“閃電封禁”發生在DeepSeek產品爆紅數日之後,凸顯了歐盟監管機構對數據保護違規行為的零容忍態度。Garante的調查發現,DeepSeek存在多項嚴重違規行為:
首先,DeepSeek未能清晰說明其收集了哪些歐洲用戶數據、這些數據存儲在何處以及用於何種目的。這種信息透明度的缺失嚴重違反了GDPR關於數據處理合法性、公平性和透明度的基本原則。
其次,DeepSeek未能在歐盟境內設立法定代表。根據GDPR第27條規定,若非歐盟企業向歐盟境內的數據主體提供商品或服務,或監控其行為,且其數據處理活動涉及大規模或敏感數據,則必須指定一名歐盟代表。DeepSeek的缺失直接阻礙了監管機構與其進行有效溝通和監督。
再者,DeepSeek未能提供證據證明其歐洲用戶數據未被傳輸至中國。在缺乏充分保障措施的情況下,將歐盟數據傳輸至被認定為數據保護水平不等的第三國,是GDPR嚴格禁止的行為。
最後,盡管DeepSeek最初辯稱其“不在意大利運營”,但Garante通過調查確認,DeepSeek的聊天機器人服務實際處理了大量意大利用戶數據,從而落入了GDPR的屬地管轄範圍。
二、合規“彎路”分析
DeepSeek的案例為其他中資企業敲響了警鐘,其主要“彎路”在於對GDPR管轄範圍的誤讀和對合規義務的忽視。核心錯誤在於其試圖以“不在歐盟運營”為由規避GDPR的適用。然而,GDPR的“屬地管轄”原則(第3條)明確規定,只要企業向歐盟境內的數據主體提供商品或服務,或監控其行為,無論其注冊地或服務器所在地,均須遵守GDPR。這一原則意味著,只要您的產品或服務觸及歐盟用戶,您就必須承擔GDPR下的所有合規責任。
DeepSeek未能建立起一套符合GDPR要求的數據處理流程,包括數據收集的透明度、目的限制、存儲地點披露以及跨境數據傳輸的合法性證明。此外,未能指定歐盟代表是其合規體系中的一個顯著漏洞,這不僅違反了GDPR的明確要求,也使得監管機構在調查時面臨溝通障礙,從而可能導致更嚴厲的處罰。
三、合規“解法”與建議
鑒於DeepSeek的教訓,中資企業應采取以下具體措施,以確保GDPR合規:
1.重新審視GDPR適用性:任何向歐盟用戶提供產品或服務的企業,無論是否在歐盟設有實體,都應假定GDPR適用。進行全面的數據流分析,識別所有涉及歐盟數據主體的處理活動。
2.指定歐盟代表:若企業在歐盟沒有設立機構,但其數據處理活動受GDPR管轄,則必須根據GDPR第27條指定一名歐盟代表。該代表將作為數據主體和監管機構的聯絡點。
3.提升數據處理透明度:制定清晰、易懂的隱私政策,詳細說明收集哪些數據、數據處理的目的、法律依據、存儲期限、數據接收方以及數據主體的權利。對於跨境數據傳輸,必須明確披露傳輸目的地和所采取的保障措施(如標准合同條款SCCs)。
4.建立合規的跨境數據傳輸機制:若需將歐盟數據傳輸至中國或其他第三國,必須確保符合GDPR第5章的規定。這通常涉及實施標准合同條款(SCCs)並進行充分的傳輸影響評估(TIA),以確保數據在傳輸後仍能獲得與歐盟同等水平的保護。
5.完善數據主體權利響應機制:建立高效的內部流程,確保能夠及時響應數據主體行使其權利的請求,如訪問權、刪除權、更正權等。
6.定期進行合規審計與風險評估:持續監控數據處理活動,定期進行GDPR合規審計和風險評估,及時發現並糾正潛在的合規漏洞。在產品上線前,務必進行隱私設計(Privacy by Design)和隱私默認(Privacy by Default)審查。
通過采納上述建議,中資企業可以有效避免DeepSeek所犯的錯誤,降低GDPR合規風險,確保其在歐盟市場的可持續發展。
Case Study Two: DeepSeek’s “Swift Regulatory Action” – “Not Operating in the EU” Is Not a Exemption from Compliance
1. Case Background and Violations
On January 30, 2025, the Italian Data Protection Authority (Garante) took swift and severe regulatory action against Chinese AI company DeepSeek, ordering it to immediately block its chatbot service within Italy. This “Swift Regulatory Action” occurred just days after DeepSeek’s product gained significant popularity, highlighting the EU regulatory bodies’ zero-tolerance approach to data protection violations. Garante’s investigation revealed several serious violations by DeepSeek:
Firstly, DeepSeek failed to clearly state what European user data it collected, where this data was stored, and for what purposes. This lack of information transparency severely violated the fundamental GDPR principles of lawfulness, fairness, and transparency in data processing.
Secondly, DeepSeek failed to establish a legal representative within the EU. According to GDPR Article 27, if a non-EU enterprise offers goods or services to data subjects in the EU, or monitors their behavior, and its data processing activities involve large-scale or sensitive data, it must designate an EU representative. DeepSeek’s omission directly hindered effective communication and supervision by regulatory authorities.
Furthermore, DeepSeek failed to provide evidence that its European user data was not transferred to China. In the absence of adequate safeguards, transferring EU data to a third country deemed to have an inadequate level of data protection is strictly prohibited by the GDPR.
Finally, although DeepSeek initially argued that it was “not operating in Italy,” Garante’s investigation confirmed that DeepSeek’s chatbot service actually processed a significant amount of Italian user data, thus falling within the territorial scope of the GDPR.
2.Analysis of Compliance Compliance Challenges
DeepSeek’s case serves as a warning to other Chinese enterprises. Its main “Compliance Challenge” lay in misinterpreting the scope of GDPR jurisdiction and neglecting compliance obligations. The core mistake was its attempt to evade GDPR applicability by claiming “not operating in the EU.” However, GDPR’s “territorial scope” principle (Article 3) explicitly states that as long as an enterprise offers goods or services to data subjects in the EU, or monitors their behavior, regardless of its registration location or server location, it must comply with the GDPR. This principle means that if your product or service reaches EU users, you must bear all compliance responsibilities under the GDPR.
DeepSeek failed to establish a data processing workflow that meets GDPR requirements, including transparency in data collection, purpose limitation, disclosure of storage locations, and legal justification for cross-border data transfers. Moreover, the failure to designate an EU representative was a significant loophole in its compliance system, which not only violated explicit GDPR requirements but also created communication barriers for regulatory authorities during investigations, potentially leading to more severe penalties.
3. Compliance Solutions and Recommendations
Given the lessons from DeepSeek, Chinese enterprises should take the following specific measures to ensure GDPR compliance:
1.Re-evaluate GDPR Applicability: Any enterprise offering products or services to EU users, regardless of whether it has an entity in the EU, should assume GDPR applies. Conduct a comprehensive data flow analysis to identify all processing activities involving EU data subjects.
2.Designate an EU Representative: If an enterprise does not have an establishment in the EU but its data processing activities are subject to GDPR, it must designate an EU representative in accordance with GDPR Article 27. This representative will serve as a contact point for data subjects and supervisory authorities.
3.Enhance Data Processing Transparency: Develop clear and easy-to-understand privacy policies that detail what data is collected, the purposes of data processing, legal bases, storage periods, data recipients, and data subjects’ rights. For cross-border data transfers, the destination and safeguards taken (e.g., Standard Contractual Clauses SCCs) must be clearly disclosed.
4.Establish Compliant Cross-Border Data Transfer Mechanisms: If EU data needs to be transferred to China or other third countries, it must comply with the provisions of GDPR Chapter 5. This typically involves implementing Standard Contractual Clauses (SCCs) and conducting a thorough Transfer Impact Assessment (TIA) to ensure that data receives an equivalent level of protection after transfer as it would in the EU.
5.Improve Data Subject Rights Response Mechanisms: Establish efficient internal processes to ensure timely responses to data subjects’ requests to exercise their rights, such as the right to access, erasure, and rectification.
6.Regularly Conduct Compliance Audits and Risk Assessments: Continuously monitor data processing activities, regularly conduct GDPR compliance audits and risk assessments, and promptly identify and correct potential compliance loopholes. Before product launch, it is crucial to conduct Privacy by Design and Privacy by Default reviews.
By adopting the above recommendations, Chinese enterprises can effectively avoid the mistakes made by DeepSeek, reduce GDPR compliance risks, and ensure their sustainable development in the EU market.
聲明
本文僅為交流探討之目的,不代表廣悅律師事務所或其律師出具的任何形式之法律意見或建議。如需轉載或引用本文的任何內容,請與本所溝通授權事宜,並於轉載或引用時注明出處。如您有意就相關業務進一步交流或探討,或需要專業的法律支持,歡迎與本所聯系。
聯系人:葉文女士
期待與您的進一步交流!
廣悅律師事務所介紹
廣悅律師事務所成立於2008年,是一家立足大灣區,堅持一體化管理的涉外綜合性律師事務所。發展至今,廣悅建立了由上百位律師及其他法律服務人員組成的專業團隊,打造了多元化的業務體系,可以為客戶提供高品質、全方位、一站式的法律服務。秉承“立足灣區、協同港澳、面向世界”的發展戰略,廣悅已擁有廣州、中國香港、深圳,以及泰國曼穀、美國洛杉磯、澳大利亞悉尼、日本東京、意大利米蘭八個辦公室,客戶遍及境內外多個國家和地區。
供稿丨廣悅香港辦公室
編輯丨吳寶渲
審核丨黃曉俊
審定丨品牌宣傳與市場拓展委
