Seoul: South Korea’s data protection authority has found that Chinese artificial intelligence app DeepSeek transferred personal data to Chinese servers without user consent, in violation of local privacy regulations.

The Personal Information Protection Commission (PIPC) revealed on Thursday that DeepSeek had been sending device, network, and even user input data entered in AI prompts to Volcano Engine, a Beijing-based cloud services platform owned by ByteDance, the parent company of TikTok.

"DeepSeek transferred personal data to companies located in China and the United States without obtaining users' consent or disclosing this in the privacy policy at the time the service was launched," said Nam Seok, a PIPC official.

The watchdog began investigating DeepSeek in February amid growing concerns over the app’s handling of sensitive user data. As a result, downloads of DeepSeek have been suspended in South Korea pending a thorough review of its data practices.

While DeepSeek has not commented publicly, the PIPC noted that the company acknowledged failing to properly consider Korea's strict data privacy laws and has voluntarily paused new downloads in South Korea. The company had initially defended its data handling, saying that user information was stored in "secure servers" in China.

The app, particularly its R1 chatbot, had impressed global observers in January for offering comparable AI capabilities at a much lower cost than Western rivals. It racked up tens of millions of downloads shortly after its launch.

However, its rapid rise has drawn scrutiny from governments and regulators. Italy, Australia, and several US states have also raised red flags or taken regulatory actions against DeepSeek over data privacy concerns.

According to the PIPC, DeepSeek claimed the data transfers to Volcano Engine were made “to address security vulnerabilities and improve user interface and experience.” However, under South Korean law, explicit consent must be obtained from users before any personal data can be transferred to foreign entities.

This case adds to the growing international spotlight on data privacy risks linked to Chinese tech firms, especially amid ongoing tensions over cross-border data flows and AI governance.