Italy officially restricted DeepSeek on January 30, 2025, after the country's data protection authority, Garante, found the AI chatbot failed to meet European privacy standards. The action was not a blanket ban on a foreign AI tool, but rather a targeted regulatory response to what Garante identified as inadequate transparency, insufficient legal justification for data collection, and failure to protect Italian users' personal information under the General Data Protection Regulation (GDPR).

What exactly did Italy's regulator do to DeepSeek?

On January 30, 2025, Garante issued an urgent order limiting how the two Chinese companies operating DeepSeek, Hangzhou DeepSeek Artificial Intelligence and Beijing DeepSeek Artificial Intelligence, could process personal data from people located in Italy. The order took immediate effect and declared the companies' data processing activities unlawful. This was not merely an app-store removal, though that happened too; it was a formal legal directive to stop collecting and processing Italians' personal data without proper safeguards.

Two days before the enforcement action, on January 28, 2025, Garante had sent DeepSeek a detailed questionnaire asking the company to clarify what personal data it collected, where that data came from, what it was used for, the legal basis for processing it, and whether data was stored on servers in China. The regulator also wanted to know what information was used to train the AI system and how users had been informed about data collection, particularly if the company had scraped data from the web.

DeepSeek's response, submitted on January 29, 2025, claimed the company had not entered the Italian market, had already removed its app from Italian app stores, and considered EU data protection rules inapplicable to them. Garante disagreed, finding that by offering the service to people in the European Union, including Italy, DeepSeek was subject to European privacy law.

Why did Italy's privacy regulator take action against DeepSeek?

Garante identified several specific GDPR violations in its January 30 order. The regulatory concerns centered on transparency, legal authority, and user protection, not on the company's nationality. The key issues included:

• Insufficient transparency: DeepSeek failed to provide clear information about what personal data it collected and how it would be used, violating GDPR Articles 12 through 14, which require companies to inform users about data processing.
• Lack of legal basis: The company did not adequately explain the legal justification for each data processing activity, violating GDPR Article 6, which requires a lawful basis for any data collection.
• Data storage in China: Garante raised concerns about whether personal data from Italian users was being stored on servers in China, raising questions about data security and whether European users had meaningful control over their information.
• Missing EU representative: DeepSeek had not designated a representative in the European Union, violating GDPR Article 27, which requires non-EU companies processing EU residents' data to appoint an EU contact.
• Unclear cooperation: The company failed to adequately respond to Garante's information requests, violating GDPR Article 31, which requires companies to cooperate with data protection authorities.

In plain terms, Garante's concern was not that DeepSeek is a foreign AI tool. The issue was whether people in Italy were receiving enough information and legal protection over their personal data under European privacy law. For businesses and employees, this matters significantly; if workers enter customer data, trade secrets, or regulated information into an AI chatbot, the company may create privacy, confidentiality, or compliance risks.

How to understand DeepSeek's availability in Italy after the restriction?

The restriction created a layered situation rather than a simple on-off switch. Understanding what happened requires distinguishing between different access channels:

• App store removal: Around the time of the regulatory action, DeepSeek was unavailable in Apple's App Store and Google Play in Italy, with users seeing messages that the app was not available or not supported in their country.
• Web access for existing users: Garante's January 30 order noted that the service remained accessible through the website for users who had previously registered, though the company cited large-scale malicious attacks as a reason for limiting new registrations.
• Legal data processing limitation: The formal regulatory measure was an order to limit personal data processing activities, which is distinct from whether the website or app technically functions.

This distinction matters for accuracy. Saying "DeepSeek is banned in Italy" oversimplifies what actually happened. The official legal measure targeted data processing compliance, while app-store availability and web access were separate practical effects. A user asking whether they can access DeepSeek in Italy should understand that access may vary depending on whether they previously registered, which channel they use, and any later compliance changes.

Is this really about privacy, or is it about DeepSeek being Chinese?

The regulatory record shows this is fundamentally a privacy and GDPR compliance issue, not a geopolitical action. Garante's order explicitly cited violations of specific GDPR articles and focused on transparency, legal basis, data security, and user rights. The fact that the companies are Chinese and that data storage in China was discussed was relevant to the regulator's assessment of data security and user control, but the legal foundation of the action was privacy compliance, not national origin.

A more accurate explanation is that Italy restricted DeepSeek because Garante believed the service did not adequately address privacy and GDPR concerns involving users in Italy. This distinction matters because it signals to other AI companies, whether Chinese, American, or European, that operating in the EU requires meeting specific privacy standards. The case sets a precedent that regulators will enforce those standards regardless of where a company is based.

The DeepSeek restriction in Italy represents a turning point in how European regulators approach AI services. Rather than banning foreign AI tools outright, Garante used privacy law as the enforcement mechanism, demanding transparency, legal justification, and user protection. For AI companies operating globally, the message is clear: offering services to European users means complying with GDPR, or facing regulatory action.

" }