DeepSeek AI and the privacy dilemma: challenges for Australian organisations

03 March 2025

Jason Kwan
Partner
Sparke Helmore Lawyers

Jason Kwan
Partner
Sparke Helmore Lawyers
t: +61 3 9291 2376

Jason is a senior technology lawyer with over 15 years’ experience advising clients in the information technology space, including in relation to information technology procurement, data, privacy, digital infrastructure, telecommunications and information security related issues.

Overview

DeepSeek, a Chinese-developed AI model, launched to a whirlwind of publicity in January 2025. Much of the hype arose from the claim that DeepSeek had been developed for a fraction of the cost of OpenAI’s ChatGPT-4 and promised a low-cost alternative for businesses.

However, DeepSeek has since sparked privacy, security, and geopolitical concerns. In February 2025, the Australian Government banned government entities from accessing, using or installing DeepSeek due to risks related to national security and potential foreign data access. Major Australian corporations, including Woolworths[1] and Commonwealth Bank of Australia[2] have stated they will not adopt DeepSeek, while numerous organisations including TPG[3], Optus[4] and Telstra[5] have restricted their employees from using DeepSeek for work related activities.

Privacy Commissioner Carly Kind has expressed concerns regarding DeepSeek and similar AI models, and while the Office of the Australian Information Commissioner (OAIC) has decided not to investigate DeepSeek for now, they are closely monitoring activities of other overseas regulators.[6]

This article examines some of the privacy, security, and regulatory issues associated with the use of DeepSeek and other AI products.

DeepSeek’s privacy practices

DeepSeek is a Generative AI Large Language Model (LLM), like OpenAI’s ChatGPT-4 it can extract significant insights from seemingly trivial inputs, presenting both opportunities and risks.[7]

A key concern for organisations using DeepSeek (and other LLM models) should be its data collection, storage, and usage policies. According to its privacy policy, DeepSeek collects various forms of user data, including:

Personal data: birthdates, phone numbers, and other identifying details
Technical data: IP addresses, keystroke patterns, and metadata
AI interactions: chat history and content of queries

User data may be used for providing and administering the service as well as to improve and develop the service and to train and improve DeepSeek’s machine learning models and algorithms. This is not dissimilar to the collection and use of data by ChatGPT-4 or Google Gemini. However, DeepSeek stores this data on servers located in China and may share information with third party providers who are involved in the provision and support of DeepSeek, certain members of its corporate group that support the services and in order to comply with legal processes and government requests.

Key risks

DeepSeek’s use of Chinese-based servers to store user data subjects such data to China’s Cybersecurity Law and Personal Information Protection Law (PIPL). These laws grant the Chinese Government access to stored data, raising concerns about mass data aggregation and potential misuse for phishing, misinformation, or surveillance.[8]

Information security concerns have also been raised with DeepSeek. There is discourse online suggesting that DeepSeek employs anti-debugging techniques that hinder security assessments. In addition, security vulnerabilities such as hardcoded encryption keys, weak cryptographic algorithms, and SQL injection risks may expose user data entered into DeepSeek to potential exploitation.9

Compliance with the Privacy Act

The Privacy Act 1988 (Cth) establishes strict requirements for Australian organisations handling personal information, including in relation to cross-border data transfers. AI models such as DeepSeek’s R1, OpenAI’s GPT models, and Google Gemini introduce compliance risks due to data storage, processing, and transfer practices that often lack transparency.

The table below summarises potential APP breaches that may arise through the use of DeepSeek (and other AI products), their causes, and suggested mitigations:

Strengthening compliance measures

In addition to the steps set out above, organisations should consider adopting the following measures:

Contractual safeguards—ensuring there are adequate contractual protections with AI vendors to assist organisations to mitigate the above risks—for example, requirements on the vendor to store and process data in compliance with Australian privacy laws; and requirements on the vendor to assist with the ongoing monitoring of the accuracy of AI outputs.

Regular compliance audits—conduct periodic security reviews and risk assessments (or ensure access to independent third-party audit results) to ensure AI vendor policies align with Australian privacy requirements and that AI vendors are complying with their contractual obligations.

Internal AI governance policies—educate employees on AI-related privacy risks and establish clear guidelines on AI use within the organisation.

Key takeaways

While AI models like DeepSeek may appear to offer cost-effective solutions, their privacy and information security risks cannot be overlooked. Organisations should closely consider whether they are complying with their Privacy Act obligations, implement robust security controls and ensure appropriate contractual safeguards are in place with AI vendors before deciding whether to adopt AI products.

[1] A Woolworths spokesman said, “Google’s Gemini is our only approved data and AI platform and DeepSeek is not used in any form across our business.” Tess Bennett, ‘Australian Developers Trialling DeepSeek Say It’s 5 Times Cheaper’ (17 February 2025) Australian Financial Review

[2] “We closely review developments in the field of AI which include the release of new open-source models. In the case of DeepSeek, we do not use it and have no current plans to do so,” a spokeswoman for CBA said. Tess Bennett Australian Developers Trialling DeepSeek Say It’s 5 Times Cheaper’ (17 February 2025) Australian Financial Review (Article link as at [1]).

[3] Communications Today, ‘TPG Telecom and Optus Ban DeepSeek AI on Workplace Devices’ (7 February 2025) Communications Today

[4] Optus said it had blocked access to DeepSeek for its employees (Tom Williams ‘DeepSeek Banned at NBN, ABC, AusPost’ (11 February 2025) Information Age (Verification required to access article: https://ia.acs.org.au/article/2025/deepseek-banned-at-nbn-abc-auspost.html.)

[5] Telstra said it had “made the decision to limit access to DeepSeek” for its workers. Josh Taylor ‘Australia News Politics Live: Telstra blocks its staff from using DeepSeek AI app’ (5 February 2025) The Guardian

[6] Carly Kind, ‘Guidance on Privacy and Developing and Training’ LinkedIn

[7] University of Sydney, ‘Australia Bans DeepSeek from Government Devices: Experts React’ (6 February 2025) University of Sydney News

[8] Bobby Allyn, ‘International Regulators Probe How DeepSeek Is Using Data. Is the App Safe to Use?’ (31 January 2025) NPR

[9] SecurityScorecard, ‘A Deep Peek at DeepSeek’ (10 February 2025) SecurityScorecard Blog

We would like to acknowledge the contribution of Stefanie Constance, Ella Sourdin-Brown.

18-12-2025 | 2025 year end cyber reflections

18-11-2025 | Vinomofo data breach determination - the obligation to take reasonable steps

24-10-2025 | Significant penalty ordered by Federal Court in ACL cyber breach

30-09-2025 | Sparke Bytes - September 2025

05-09-2025 | Thinking of getting legal advice from an AI assistant? Think again.

25-06-2025 | Sparke Bytes - June 2025

Media room