South Korea's Personal Information Protection Commission (PIPC) has accused the Chinese AI startup DeepSeek of transferring user data without obtaining proper consent. The allegations involve the transfer of personal information from South Korean users to several companies located in China and the United States.

According to the PIPC, DeepSeek's AI service allegedly transmitted user data, including AI prompt content, device information, and network details, to these overseas entities. Specifically, the commission identified that user prompts were shared with a Beijing-based cloud service provider known as Volcano Engine Technology Co. Ltd. This transfer occurred after the app's launch in South Korea in January. The PIPC has stated that DeepSeek failed to secure proper user consent before transferring sensitive data, which violates South Korea's data protection regulations.

In response to these concerns, South Korean regulators took immediate action. In February, new downloads of the DeepSeek application were suspended. An amended directive has been issued, mandating the company to delete all AI prompt data previously sent to Volcano Engine. Furthermore, DeepSeek is now required to establish a clear legal framework that adheres to South Korean regulations for any future cross-border data transfers. While DeepSeek has stated that the data transfers aimed to improve user experience, they reported halting the transfer of AI prompts and data as of April 10.

The Ministry of Foreign Affairs in China has responded to the allegations, denying any state-ordered data collection. They assert that China does not compel private companies to violate data privacy laws in other countries. However, the incident has amplified scrutiny of AI startups and digital platforms operating in South Korea, where regulators are increasingly focused on enforcing data protection, especially concerning cross-border data transmission.

This situation underscores the growing global concerns surrounding data sovereignty and the importance of adhering to local privacy and security regulations. South Korea's revised Personal Information Protection Act (PIPA) in 2023 reflects its commitment to enhancing data protection and aligning with international standards like GDPR. The DeepSeek case highlights how cross-border data flows, especially those involving AI training data, have become a focal point for privacy enforcement worldwide.