Berlin’s Data Protection Authority has issued formal demands to Google and Apple requiring the removal of the DeepSeek application from their respective app stores due to significant GDPR compliance violations. The Chinese AI developer’s data handling practices have triggered regulatory action under European privacy legislation, marking a significant enforcement milestone for cross-border data protection.
GDPR Violations Identified in DeepSeek Operations
The regulatory investigation revealed that Hangzhou DeepSeek Artificial Intelligence, operating from Beijing, engages in unauthorized collection of German users’ personal data with subsequent transfer to Chinese servers for processing. This practice directly contravenes Article 46(1) of the General Data Protection Regulation, which establishes strict requirements for international data transfers.
European data protection legislation mandates that all personal data of EU citizens must be processed according to established protection standards. The regulatory assessment determined that Chinese data protection frameworks fall significantly short of European requirements in terms of stringency and comprehensive coverage, creating unacceptable risks for user privacy.
Legal Framework Supporting Enforcement Action
The application of GDPR to DeepSeek’s operations hinges on the company’s absence of official representation within the European Union. Despite lacking local presence, the service actively targets German users through major mobile application distribution platforms, triggering jurisdictional authority under European law.
Regulators specifically noted the service’s localization efforts, including German language descriptions and full operational support in German, demonstrating intentional targeting of European users. This targeted approach establishes clear regulatory jurisdiction regardless of the company’s physical location.
Digital Services Act Implementation
Following DeepSeek’s refusal to voluntarily remove applications from German app stores after the initial request on May 6, 2025, authorities invoked Article 16 of the Digital Services Act (DSA). This provision enables regulatory bodies to notify platform operators about illegal content while requiring appropriate remedial measures.
The DSA framework provides enhanced enforcement mechanisms for addressing non-compliant applications, particularly those originating from jurisdictions with inadequate data protection standards. This coordinated approach strengthens regulatory effectiveness across multiple enforcement channels.
Federal Coordination and Regulatory Support
The Berlin regulator’s initiative has received comprehensive support at the federal level, with coordination involving multiple German supervisory authorities, including the Federal Network Agency (Bundesnetzagentur). This multi-agency approach significantly enhances the legal authority and enforcement potential of the removal demands.
Such coordination between regional and federal structures demonstrates the German government’s commitment to protecting citizens’ personal data and ensuring compliance with European legislation. The unified response indicates a strategic approach to addressing cross-border privacy violations.
Industry-Wide Implications for AI Development
The DeepSeek case establishes important precedents for Chinese AI service developers planning European market entry. Companies must now choose between establishing local EU representation or ensuring complete GDPR compliance when processing European user data, significantly raising compliance barriers.
Apple and Google’s response to these removal demands will substantially influence the availability of Chinese AI services in Europe and establish standards for future regulatory actions against non-compliant applications. Organizations developing AI services must prioritize comprehensive privacy impact assessments and implement robust data protection measures aligned with international standards to avoid similar enforcement actions.
This enforcement action signals a new phase in international data protection enforcement, where regulators actively pursue non-compliant services regardless of their geographic origin. Companies operating in the global digital marketplace must recognize that data protection compliance is not optional but essential for sustained market access in privacy-conscious jurisdictions.
