The Personal Information Protection Commission announced on the 24th that it confirmed multiple issues regarding the Chinese AI (artificial intelligence) service corporation DeepSeek following a preliminary inspection of its practices, including inadequate privacy policies, overseas data transfers, and insufficient child information protection.
Since DeepSeek launched its service in the domestic app market in January, concerns have been raised about its methods of collecting and processing personal information, prompting the commission to immediately begin technical analysis and inquiry procedures in collaboration with the Korea Internet & Security Agency. Subsequently, DeepSeek acknowledged its lack of consideration for the Personal Information Protection Act and suspended new downloads in South Korea starting in February.
According to the inspection results, DeepSeek initially provided its privacy policy only in Chinese and English at the start of its service and missed several mandatory items required by Korean law, including destruction procedures, safety measures, and information about responsible parties. It was also specified that sensitive information, such as keystroke patterns and rhythms, was collected; however, it was not actually collected, and the company explained that this was an error in documentation.
A bigger problem arose with the overseas transfer of personal information. It was confirmed that DeepSeek transmitted users' device information, network information, and even the content entered into AI prompts to a cloud service provider in China called "Volcano." This process was conducted without prior notice or consent from the users, and relevant information was absent from the privacy policy. DeepSeek stated it blocked such transfers starting on the 10th, following the commission's remarks.
Issues continued regarding AI training. The content entered into prompts was being utilized for AI training without separate consent, and there was no function available for users to opt-out. Subsequently, DeepSeek introduced the relevant function in March, per the commission's recommendations, and reorganized its AI-related processing procedures.
Child protection measures were also inadequate. DeepSeek stated that it does not collect personal information from children under 14; however, there was no age verification process at the registration stage, making actual verification impossible. The commission also confirmed that an age verification procedure and remediation of certain security vulnerabilities were completed during the inspection process.
Based on the inspection results, the commission decided to issue corrective recommendations to DeepSeek, including immediate destruction of prompt input content, establishment of legal grounds for overseas transfers, and publication of a privacy policy in Korean. It also recommended strengthening child information protection, improving safety measures across the overall personal information processing system, and enhancing the designation of domestic representatives.
If DeepSeek accepts the corrective recommendations, it will be considered a formal corrective order, and results of the implementation must be submitted within 60 days. The commission plans to assess the implementation status at least twice and manage it continuously.
Meanwhile, the commission plans to provide the core contents of the "Personal Information Protection Act Application Guide" for foreign businesses in the form of a checklist as an opportunity for this inspection. This aims to induce overseas corporations to better protect the personal information of Korean users.