DeepSeek and China AI Risks

Data Privacy Risks — Where Does Your Data Go?

The first question every organization must ask before adopting any AI is "Where does our data end up?" For DeepSeek, the answer is unambiguous — all data is transmitted to and stored on servers in China, as stated in DeepSeek's own Privacy Policy.

But the issue goes beyond just where data is stored — the real concern is the legal framework of the country where the data resides. China has several laws that grant the government the power to access data from any company registered in the country:

Relevant Chinese Laws

Law	Year Enacted	Key Provision	Impact on DeepSeek Users
National Intelligence Law (NIL)	2017	All organizations and citizens must support national intelligence work when the state requests it	DeepSeek must hand over all user data when the Chinese government demands it — without notifying users
Data Security Law (DSL)	2021	Data stored in China falls under state supervision; critical data cannot be transferred abroad	Data sent to DeepSeek falls under this law — the state can inspect and access it at any time
Personal Information Protection Law (PIPL)	2021	China's personal data protection law, similar to GDPR but with exemptions for the state	While PIPL protects personal data, it contains clear exemptions for "national security" purposes

The critical provision is National Intelligence Law, Article 7, which states: "All organizations, companies, and citizens shall support, assist, and cooperate with national intelligence work in accordance with the law." This means that regardless of how robust DeepSeek's privacy policy might be, if the Chinese government requests data, DeepSeek has no legal right to refuse.

Data Privacy Comparison — DeepSeek vs ChatGPT vs Claude

To illustrate exactly how DeepSeek differs from other AI providers on data privacy:

Category	DeepSeek	ChatGPT (OpenAI)	Claude (Anthropic)
Data Storage Location	China 🇨🇳	USA 🇺🇸	USA 🇺🇸
Governing Laws	NIL 2017, DSL, PIPL	CCPA, ECPA	CCPA
Government Access Without Notice	Yes (per NIL Article 7)	Requires court order	Requires court order
GDPR Compliant	❌ Banned (Italy)	✔ Compliant	✔ Compliant
SOC 2 Certified	❌ No	✔ Yes	✔ Yes
Zero Data Retention (API)	❌ No	✔ Yes	✔ Yes
Data Processing Agreement (DPA)	❌ No	✔ Yes	✔ Yes

The table makes it abundantly clear that DeepSeek lacks the compliance standards that large organizations require. No SOC 2, no DPA, no Zero Data Retention — and most critically, data falls under Chinese law that grants the state unrestricted access. This represents a structural difference that any organization's cybersecurity framework must carefully evaluate.

Countries That Have Banned DeepSeek

DeepSeek's data privacy risks are not merely theoretical — several countries have already taken official action to ban or restrict its use:

Country	Scope of Ban	Reason	Date
Italy 🇮🇹	Nationwide ban (removed from App Store)	DeepSeek failed to respond to GDPR inquiries from Garante (Italy's data protection authority) regarding data transfer to China	January 2025
Australia 🇦🇺	Banned across all government agencies	National security concerns — government data could be accessed by China	February 2025
Taiwan 🇹🇼	Banned in government, state enterprises, and schools	Data could be accessed by the Chinese government, posing a national security threat	February 2025
South Korea 🇰🇷	Temporary suspension (removed from App Store)	PIPC (data protection authority) investigating data privacy concerns	February 2025
United States 🇺🇸 (selected agencies)	Banned on government devices (Navy, NASA, Pentagon)	National security — military and space data protection	2025

It is worth noting that the countries banning DeepSeek are either those with strict data protection laws (GDPR, Privacy Act) or those with geopolitical tensions with China. While Thailand has not officially banned DeepSeek, Thai organizations should be aware of these risks — especially as AI Governance becomes an increasingly important global issue.

DeepSeek Security Incidents

Beyond the legal risks, DeepSeek has experienced several alarming security incidents:

Wiz Security Breach — Publicly Exposed Database (January 2025)

The most shocking incident was the discovery by Wiz Research, a renowned cloud security firm. In January 2025, Wiz researchers found that DeepSeek had a publicly accessible ClickHouse database on the open internet with absolutely no authentication — meaning anyone could access it.

The exposed data included:

• Chat History — over 1 million records of user conversations with DeepSeek
• API Keys — access credentials for the DeepSeek API that could be misused
• System Logs and Backend Metadata — internal system information
• Plaintext Passwords for internal systems

Wiz Research reported that the database was accessible via HTTP interfaces on Ports 8123 and 9000 without any login required — a vulnerability that is considered extremely severe by cybersecurity standards. While DeepSeek patched the issue after being notified, no one knows whether the data was accessed by other parties before the fix was applied.

DDoS Attack — Forced to Close New Registrations (January 2025)

During the same period, DeepSeek was hit by a massive DDoS (Distributed Denial of Service) attack that forced the company to temporarily close new registrations. This incident demonstrated that DeepSeek's infrastructure was not yet robust enough for enterprise-grade usage. Later, in March 2025, DeepSeek went down again for 7 hours, affecting users worldwide.

Censorship — When AI Is Controlled by the State

Another issue that reveals DeepSeek's relationship with the Chinese government is content censorship. DeepSeek refuses to answer questions on topics the Chinese government considers "sensitive," including:

• The Tiananmen Square massacre (1989)
• Taiwan's status as an independent country
• Tibet and the Dalai Lama
• Uyghur internment camps in Xinjiang
• Criticism of the Chinese Communist Party

This censorship is not merely a matter of "content restrictions" — it demonstrates that DeepSeek is clearly under the control of the Chinese government. If the government can dictate what the AI says, it can equally control what the AI collects and transmits.

Supply Chain Risk — When AI Becomes Part of Your Infrastructure

The risks posed by DeepSeek extend beyond data leaks to include supply chain risks that many organizations overlook. When an organization embeds AI into core business processes — such as generating reports, analyzing data, or serving customers — AI becomes a critical dependency. If it stops working, the business stops too.

Consider these scenarios:

• DeepSeek gets banned in Thailand overnight — just as Italy banned it in a single day. If your organization relies on the DeepSeek API for core operations, your systems would stop functioning immediately
• The Chinese government cuts off service to certain countries — in the event of geopolitical tensions, China could revoke access at any time
• DeepSeek shuts down or changes its policies — the company has no clear revenue model and is funded by High-Flyer, a hedge fund. A shift in business direction could leave users stranded
• Repeated DDoS attacks or outages — this has already happened multiple times in 2025, including a 7-hour outage with no SLA-based compensation

For organizations planning long-term AI adoption, it is essential to have an Exit Strategy — a contingency plan for switching from DeepSeek to another AI provider. This means designing integrations with an Abstraction Layer that allows you to swap AI providers easily, rather than building hard dependencies on the DeepSeek API directly.

Bias and Propaganda — The Invisible Risk

Beyond data privacy, there is also a risk concerning the reliability of information that DeepSeek provides. Because DeepSeek is trained on data that has been filtered through the Chinese government's censorship apparatus, its outputs may contain biases on several topics:

• Political and geopolitical issues — responses may lean toward positions favored by the Chinese government, particularly regarding China-Taiwan relations, the South China Sea, and the Belt and Road Initiative
• Comparative information — when asked to compare Chinese and foreign products or services, answers may be biased in favor of China
• Historical events — events that China has "revised," such as the Cultural Revolution or the One-Child Policy, may receive incomplete coverage

For ERP and business tasks, the impact may be minimal. However, if you use DeepSeek for work that requires neutrality — such as international market analysis, vendor comparisons, or due diligence — you should use multiple AI tools to cross-validate the information rather than relying on DeepSeek alone.

DeepSeek and Thailand's PDPA — Critical Considerations

For Thai organizations, the risk from DeepSeek is not limited to potential Chinese government access — it may also violate Thailand's PDPA (Personal Data Protection Act, B.E. 2562).

PDPA Sections 28-29: Cross-Border Data Transfers

PDPA Section 28 stipulates that transferring personal data to another country requires the destination country to maintain adequate personal data protection standards, generally meaning standards comparable to GDPR or APEC CBPR.

While China has PIPL (Personal Information Protection Law), which is structurally similar to GDPR, it contains a critical exemption: data access for "national security" purposes — an exemption so broad that it does not align with international standards. Therefore, transferring personal data to China via DeepSeek may be deemed "inadequate" under PDPA Section 28.

Real-World PDPA Risk Examples

Scenario	Data Sent	PDPA Risk Level
HR uses DeepSeek to summarize job applicant resumes	Full names, phone numbers, emails, education history	Very High — personal data sent to China without consent
Accounting uses DeepSeek to analyze financial statements	Revenue, expenses, profit/loss, client data	High — business data + client information could be exposed
Doctor uses DeepSeek to assist with diagnosis	Health data, medical records	Very High — health data is classified as Sensitive Data under PDPA
Lawyer uses DeepSeek to analyze contracts	Party names, agreement details	High — client data + trade secrets at risk
Developer uses DeepSeek for coding assistance (no personal data)	General source code, logic	Low — no personal data involved, but watch out for trade secrets

For more details on PDPA and accounting, see our article PDPA and Accounting — What Accountants Need to Know. For guidance on data security best practices, read Two-Factor Authentication (2FA) — Why It Matters.

Guidelines for Thai Organizations — How to Use DeepSeek Safely

Alternatives for Thai Organizations

If you need to use AI safely within your organization, there are several alternatives:

Alternative	Advantages	Limitations	Best For
Self-host DeepSeek	Free, open-source, data stays within the organization	Requires powerful GPUs and a dedicated IT team	Organizations with IT teams + hardware budget
ChatGPT / Claude API + DPA	SOC 2 certified, DPA available, Zero Data Retention	More expensive, closed-source	Organizations that need compliance
AI within ERP systems	Complete data governance, integrated into a single system	Requires an ERP that supports AI	Organizations already using ERP

For organizations interested in self-hosting DeepSeek, you can find detailed hardware requirements and cost analysis in EP.4: Running DeepSeek On-Premise — Is It Worth It? For organizations seeking AI with comprehensive data governance, Saeree ERP is currently developing an AI Assistant that operates within the ERP system — meaning your data never has to leave the organization.

DeepSeek Series — Read More

Low cost does not always mean good value — the true cost of AI may not be the API fee, but the invisible data risk that comes with it.

— Saeree ERP Team

References

• Italy Bans Chinese DeepSeek AI — The Hacker News
• Wiz Research: DeepSeek Database Exposed
• PDPA Thailand — Personal Data Protection Act B.E. 2562
• DeepSeek Privacy Policy
• China National Intelligence Law — Wikipedia