By Anuradha Gandhi and Rachita Thakur
Introduction
In a recent news, Italy’s data protection authority, Garante, has blocked Chinese artificial intelligence model “DeepSeek” over a lack of information on its use of personal data. The authority’s decision came after the Chinese companies that supply chatbot service to DeepSeek provided information that “was considered to totally insufficient”. It has requested details on the collection of personal data including its sources, purposes, legal basis and whether it is stored in China[1]. The case highlights potential violations of the OECD Privacy Principles, particularly related to Collection Limitation, Purpose Specification, Openness and Use Limitation. Additionally, other countries including Taiwan, South Korea and Australia have banned the chatbot while the United States Congress is considering a bill for a similar ban[2]. Meanwhile, France, Belgium and Ireland have started asking questions regarding the company’s management of user data[3].
This issue is not unique to DeepSeek[4]. The use of other Artificial Intelligence (hereinafter referred to as “AI”) tools, including ChatGPT[5], Gemini[6], Copilot[7] and Kimi AI[8] also raises significant privacy concerns, making it essential to examine these issues across different models rather than isolating a single case.
Key differences & Unique Data Collection
Below is a comparative analysis of various AI tools to better understand the concerns related to data security and privacy.
| Category | ChatGPT (Parent Company – Open AI) | Gemini (Parent Company – Alphabet Inc.) | DeepSeek (Parent Company – High-Flyer , Quant and Alibaba Group) | Kimi AI (Parent Company – Moonshot AI) |
| Sensitive Personal Data | Does not explicitly collect sensitive personal information like: government IDs, biometric data or employment data | Collects highly sensitive information including: government-issued IDs, biometric data (facial scans), social security numbers, employment data and criminal records | Collects proof of identity or age when the user contacts support | Collects following information
|
| Financial and Transactional Data | Collects payment card details and transaction history | Extensive financial data collection, including bank account details, routing numbers, deposits, withdrawals, block chain transaction data such as bitcoin | No explicit mention of financial data collection | No explicit mention of financial data collection |
| Biometric Data | No biometric data collection | Collects scan of face geometry for identity verification | No Biometric data collection | No Biometric data collection |
| Social Media and Third-Party Data | Collects user-provided social media activity and contact details | Collects third-party financial, credit and fraud detection data | Collects information from linked third-party services like Google or Apple during log-in or sign-up such as access token | Through Third-Party SDK Privacy Agreements:
|
| Activity Tracking and Behavioral Monitoring | Tracks content engagement, time zone, device and cookies | Monitors system activity, keystrokes, mouse movements, form entries and record chat sessions | Collects advertising and tracking data from external partners, including, hashed emails and mobile identifiers | Microphone and Camera Permission; Voiceprint Information |
Data Localization
| Category | ChatGPT | Gemini | DeepSeek | Kimi AI |
| Storage of PI | The policy does not explicitly provide where it would store such data | Personal Information is stored and processed in any country where they have operations or where they engage service providers
|
1. The policy provides that Personal Information may be stored in servers located outside the country, a user lives in.
2. Personal Information is stored in secure servers in China |
The policy does not explicitly provide where it would store such data |
Consent
| Category | ChatGPT | Gemini | DeepSeek | Kimi AI |
| Consent | It provides that users can opt out of content provided by them to train modules | It says that if a user is using the services of Gemini, a user is henceforth giving his consent.
Provides for disclosure of information upon consent |
Explicit user consent before data usage for training.
Allows sharing of information with consent across platforms
|
Consent is the lawful basis for processing personal data. (taken from moonshot AI privacy policy)
It seeks user permission for access to microphone, camera and device information. |
| Revocation of consent | Right to withdraw consent is provided | Right to withdraw consent is provided | Right to withdraw consent is provided | Right to withdraw consent is provided (taken from moonshot AI privacy policy) |
| Children consent | Do not knowingly collect Personal Data from children under 13.
Delete the Personal Data from systems, upon request |
If Personal Information is collected of users under the age of 18, it will be deleted | Do not actively collect personal information from children under the age of 14.
If noticed or receive feedback that of personal information is collected without prior consent from a guardian, attempt to delete the information as soon as possible. |
Do not collect information from children below 18 years.
If Personal Information is collected of users under the age of 18, it will be deleted. Provides the involvement. Provides for the involvement of parents when dealing with minor’s data. (Taken from Moonshot AI privacy policy) |
Retention
| Category | ChatGPT | Gemini | Deepseek | Kimi AI |
| Data retention | It retains personal information as long as needed in order to provide service or other legitimate business purposes or to comply with legal obligations.
It further retain data depending on number of factors such as amount, nature and sensitivity of information, the potential risk of harm from unauthorized use or disclosure, purpose for processing and any legal requirements. |
It retains personal information even in case registration remains incomplete or is abandoned.
Retains personal Information as long as is reasonably necessary to provide services or legitimate business purposes, and to comply with our legal and regulatory obligations. On closer of account it continues to retain Personal Information as necessary to comply with legal obligations such as fraud monitoring, tax, accounting, and financial reporting obligations. |
Retain information as long as necessary to provide services. Information is also retained when necessary to comply with contractual and legal obligations, for legitimate business interest and to exercise or defend legal claims.
Retention period also depend on type of information. |
Data retained until deleted or upon a deletion request.
Data is retained for following purpose:
(taken from moonshot AI privacy policy) |
Security
| Category | ChatGPT | Gemini | Deepseek | Kimi AI |
| Security measures | It claims to have commercial reasonable technical, administrative and organizational measures to protect personal information both online and offline from loss, misuse and unauthorized access, disclosure, alteration or destruction.
|
Take reasonable measures, including administrative, technical, and physical safeguards, to protect Personal Information from loss, theft, or misuse, and from unauthorized access, disclosure, alteration, and destruction.
Measures includes: encryption of the Gemini website communications with SSL; two-factor authentication for all sessions; periodic review of Personal Information collection, storage, and processing practices; and restricted access to users Personal Information on a need-to-know basis for employees, contractors and agents subjected to confidentiality obligations |
Maintain commercial, reasonable, technical, administrative and physical security measures that are designed to protect information from unauthorized access, theft, disclosure, modification or loss.
Security measures are regularly reviewed. |
Mentions to have in place reasonable technical, organizational and security measures.
(taken from moonshot AI privacy policy) |
Conclusion
Upon a detailed examination of the above four policies, the author found that all of them blatantly contravened the legal principles of data privacy.
The DeepSeek explosive growth has made it the talk of the town, but with that it has also raised questions regarding its ethical development and handling of data. Critics suggest that DeepSeek may have trained its AI models by learning from US models like OpenAI’s ChatGPT which not only raises concerns about data extraction methods but also the security concerns relating to the ChatGPT handling of data and privacy of user’s personal information.
Kimi AI’s privacy policy primarily details the types of information it collects and its dealings with third parties, yet it falls short in addressing key data protection concerns that are present in its parent company Moonshot AI’s privacy policy. Notably, it lacks transparency on lawful basis for data processing, user consent mechanisms, data retention periods, security measures, rights of users and protection for children’s data. This lack of comprehensive details raises concerns about the overall transparency of its privacy practices.
This has further highlighted the need to look at the loopholes or ethical concern in other AI applications. AI application like Gemini collects biometric information such as scans of your face geometry extracted from identity documents; without stating reason for such collection. Biometric data is inherently personal, it is something that cannot be easily changed or anonymized. If AI is collecting such information it raises concerns about how well users’ privacy is protected by various AI applications.
Rishabh Gupta, Junior Associate Advocate at S.S. Rana & Co. has assisted in the research of this article.
[4] https://chat.deepseek.com/downloads/DeepSeek%20Privacy%20Policy.html
[5] https://openai.com/policies/row-privacy-policy/
[6] https://www.gemini.com/legal/privacy-policy