The Personal Information Protection Commission (hereinafter referred to as the Personal Information Commission) noted on the 7th that concerns about the personal data collection and processing methods of the Chinese artificial intelligence (AI) service "DeepSeek" have been continuously raised, and they are currently conducting a detailed technical review regarding this matter. The Personal Information Commission urged users to exercise caution until the final review results are announced.
On the same day, the Personal Information Commission held a briefing at the Government Seoul Office and stated that an official inquiry letter was sent to DeepSeek's headquarters (Hangzhou and Beijing DeepSeek AI) on the 31st of last month to confirm the data processing entity, collection items, storage, and sharing methods, and that they are currently awaiting a response from DeepSeek. Additionally, they explained that they are meticulously analyzing DeepSeek's privacy policy and terms of use while technically reviewing the data and traffic transmitted when using the service by constructing an actual usage environment.
They are collaborating with domestic specialized institutions and relevant government departments, and are also in discussions with major privacy regulatory bodies in countries such as the United Kingdom's Information Commissioner's Office (ICO), France's National Commission on Informatics and Liberty (CNIL), and Ireland's Data Protection Commission (DPC). Furthermore, they plan to request cooperation through the Korean-China Personal Information Protection Cooperation Center (KISA Beijing Office) for direct communication with DeepSeek and to utilize the Korean government's official diplomatic channels.
Nam Seok, Director General of the Personal Information Commission, said, "There are many concerns about the possibility that personal data may be transferred to the Chinese government due to different laws and regulations in China compared to Korea," adding, "Accordingly, we are rigorously reviewing whether the overseas transfer of personal data has a legal basis and the possibility of Chinese government involvement in relation to Chinese domestic law."
He added, "We are also discussing these issues with major foreign privacy protection agencies and plan to develop joint response measures if necessary."
The Personal Information Commission is also paying attention to the possibility that DeepSeek may collect sensitive information such as users' keyboard input patterns, audio, files, and chat records while reviewing whether DeepSeek's personal data collection methods comply with domestic laws and international standards.
Nam noted, "It is necessary to clearly confirm how this information is stored and used," adding, "It is also an important review target whether users are guaranteed the right to manage and delete their own information."
He also mentioned the need to strengthen the management and supervision system for overseas-based AI services like DeepSeek. Nam stated, "Currently, DeepSeek does not have an official business site in Korea, which limits its applicability of existing personal information protection laws," adding, "We are preparing regulatory directions for overseas AI services to resolve this issue, and we are also reviewing additional institutional alternatives to protect domestic users."
The Personal Information Commission plans to distribute policy materials to guide privacy protection measures when using generative AI for public and private organizations in the first quarter. Below is a Q&A session with Director General Nam.
― There has been no response yet to the inquiry sent to the DeepSeek headquarters; can you explain the progress?
"An inquiry letter was sent to DeepSeek's headquarters on January 31, and the general response time is about two weeks based on working days. We have not received a response yet and are waiting for one. Separately, we are conducting our own technical analysis and establishing a cooperative system with major foreign privacy regulatory agencies."
― What is the plan for subsequent measures if DeepSeek does not respond?
"At this stage, it is difficult to consider it an official investigation. However, depending on the content of the response in the future, we may review additional measures. It is hard to definitively state specific response measures at this stage as it is hypothetical. However, we are reinforcing cooperation with overseas regulatory agencies, and we may conduct additional inquiries if necessary."
― When did the technical analysis of DeepSeek begin?
"DeepSeek was released at the end of January, and we started the inquiry letter preparation and our own technical analysis right after the reports related to it came out. We are currently analyzing data in cooperation with security-related institutions and experts."
― Do you consider DeepSeek's personal data collection methods excessive compared to other generative AI services?
"At this stage, the priority is to confirm the facts. We are currently analyzing DeepSeek's privacy policy and terms of use compared to other services, and we are also reviewing the technical data transmission methods. If any illegality is found as a result of the analysis, we will take the appropriate measures."
― Since DeepSeek has no business sites in Korea, can the Personal Information Commission impose penalties?
"Even without a domestic business site, if services are provided to Korean users, they are considered personal data processors under the Personal Information Protection Act. There have been cases in the past where penalties were imposed on foreign companies for violating the Personal Information Protection Act. For example, in the case of the chatGPT-related personal data leak incident, fines were imposed for the violation of the obligation to notify of the leak."
― Do you consider that the security risks are higher because DeepSeek is a Chinese service?
"There are many concerns about the possibility that personal data may be transferred to the Chinese government due to different laws and regulations in China compared to Korea. Therefore, we are rigorously reviewing whether the overseas transfer of personal data has a legal basis and the possibility of Chinese government involvement in relation to Chinese domestic law. These points are also being discussed with major foreign privacy protection agencies."
― Are there any measures to prevent DeepSeek's personal data from being transferred abroad?
"There is a legal basis for issuing orders to stop overseas transfers, but this can only be applied as a post-action. Currently, we are in the process of identifying overseas transfer issues in more detail by examining the privacy policy and data transfer paths."
― Which foreign privacy protection agencies is the Personal Information Commission collaborating with?
"Currently, we are cooperating with the ICO in the UK, CNIL in France, and DPC in Ireland, and we are continuously sharing information with them. We are also discussing the possibility of joint responses with some agencies in the future."
― Domestic public institutions are also taking measures to prohibit the use of DeepSeek; has the Personal Information Commission internally blocked it as well?
"The Personal Information Commission has not implemented any blocking measures on its own. However, the Ministry of Interior and Safety sent a document to each ministry recommending that they refrain from using DeepSeek for work purposes, and in accordance, we have informed our staff about the related content internally."
― Similar overseas AI services will continue to emerge; will you respond the same way every time?
"We are currently preparing emergency use guidelines related to DeepSeek, and there is a need to establish a long-term management and supervision system for overseas AI services. Last year, we also conducted preliminary assessments of major AI services, and we plan to further specify the privacy protection guidelines in the future."
― Each ministry is individually blocking DeepSeek. Who is going to take action as a whole, and will there have to be a presidential directive to proceed in the future?
"Cooperation and information sharing between ministries is already being sufficiently carried out. I believe that discussions have been held at an overall level, and I feel that it is not appropriate for me to comment on that aspect."
― Is it being investigated whether the personal data of Korean users is included in DeepSeek's large language model (LLM) training data?
"Our main goal is to prepare a virtual usage environment and analyze what personal data is being collected during service use. We are also reviewing issues related to training data and have sent official inquiries to confirm this."
― With the revision of the Personal Information Protection Act, behavior information could also be classified as personal data; are the data input into the LLM also subject to regulations?
"Whether the information collected from the LLM model constitutes personal data should be assessed after a comprehensive review of the privacy policy and terms of use. Just because behavioral information is included in the LLM does not automatically make it subject to prohibition. We will take necessary measures based on the review results."