The privacy paradox: DeepSeek, data sovereignty, and the illusion of control

Everyone in the industry and beyond is talking about DeepSeek. It is an undeniably impressive model; its rapid growth, efficiency, and cost-effectiveness are making headlines. This new large language model also comes hot on the heels of TikTok being given a reprieve by the Trump administration, a decision that sparked ongoing debates about data privacy and national security. While many people demand stronger privacy protections, they simultaneously adopt platforms like DeepSeek, which operate under data practices that directly contradict those demands. This paradox deserves closer examination.

Over the past two years, I have been working with industry bodies and helping Australian businesses navigate the evolving requirements of the Privacy Act reforms. When it comes to privacy, we’re all living a paradox. We demand tougher protections, rallying for reform in the name of safeguarding our data. And yet, when faced with the introduction of a tool like DeepSeek, we hand over sensitive information with little consideration of the implications. It’s a telling moment; not just for consumers, but for the broader conversation about data security and sovereignty.

DeepSeek and the Trade-Offs We Ignore

DeepSeek has achieved significant growth, recognised for its efficiency and cost-effectiveness. However, beneath this growth lie serious privacy implications. User data; including inputs, device information, and even keystroke patterns is stored indefinitely on Chinese servers. This data isn’t just stored; it’s governed by China’s Network Data Security Management Regulations, effective from January 1, 2025.

China’s data privacy framework consists of three main pillars that work together. While the Network Data Security Management Regulations are new for 2025, the core laws (PIPL, CSL, DSL) were established earlier and remain in effect under the new framework. These frameworks highlight the significant disparity in data governance standards globally, and understanding them is critical for those navigating privacy challenges (feel free to skip to the next heading if the intricacies of data governance aren’t quite your cup of tea, I’ll won’t take it personally).

Core Framework

• Personal Information Protection Law (PIPL)**: Enacted in November 2021, setting baseline rules for personal data handling.
• Cybersecurity Law (CSL)**: The first national law for cybersecurity, focusing on data system integrity.
• Data Security Law (DSL)**: Governs data classification and cross-border data transfer.

Government Override Mechanisms

Despite these regulations, privacy is undermined by mechanisms that prioritise state security. The Cyberspace Administration of China (CAC) has primary authority to access and review data.

Companies must:

• Submit to internal security reviews before transferring “important” data outside China.
• Categorise data based on its importance to national security, per DSL requirements.

Regulatory Framework and Enforcement Structure

• Platforms with 50+ million users must file mandatory reports and publish annual social responsibility assessments.
• Oversight is enforced by multiple authorities, including the CAC, Ministry of Public Security (MPS), and Ministry of Industry and Information Technology (MIIT).
• Non-compliance can lead to significant fines, personal penalties, and suspension of business operations.
• Cross-border restrictions require mandatory security assessments, government approval, and data localisation for certain types of data.

This framework prioritises national security over individual privacy rights, leaving data handlers with extensive obligations and the government with broad access and control powers.

The Double Standard in Global Data Access

The contrast between China’s data sovereignty laws and Australia’s international data access framework underscores the imbalance in global privacy standards. While Australia invests heavily in governance to protect consumer privacy, platforms like DeepSeek operate under far less restrictive rules, creating challenges for informed decision-making. Australia’s International Production Order system, for example, enables streamlined access to data from US-based providers under strict agreements. Yet, no such framework exists with China. Australian authorities must navigate complex diplomatic and legal channels to access data stored on Chinese servers; a luxury that Chinese authorities don’t have to reciprocate.

This imbalance raises serious questions. How can consumers be expected to make informed choices when these complexities are obscured? The double standard also highlights the need for greater transparency and accountability from platforms handling sensitive user data.

Consumer Behaviour and the Privacy Disconnect

This brings us back to the privacy paradox: the contradiction between amplified consumer demands for privacy and the widespread adoption of platforms with questionable data practices. This inconsistency is particularly significant in light of Australia’s substantial efforts to strengthen privacy governance. On the one hand, Australians are vocal about their desire for stronger privacy protections. The ongoing Privacy Act reforms reflect this collective demand. On the other hand, we eagerly adopt tools like DeepSeek, seemingly unfazed by the implications of our data being stored and governed elsewhere.

The irony is hard to ignore. We decry invasive surveillance and demand data sovereignty; yet we voluntarily entrust our personal information to systems operating under the exact conditions we oppose.

Taking Action to Align Values and Choices

It’s time for a wee reality check. While many consumers may feel powerless, the reality is quite different. Informed choices and accountability have the potential to bridge the gap between the privacy we demand and the actions we take. If we’re serious about protecting our data, it’s time to ask tougher questions about the tools we rely on and the trade-offs we accept:

• Transparency; Are companies clear about where and how they store data? Are users informed of their rights; or lack thereof; under foreign jurisdictions?
• Alternatives; Are there privacy-conscious options available? For example, I have set up DeepSeek’s model locally for testing, allowing the technology to be used without transmitting data back to central servers; a stark contrast to its cloud-based service.
• Accountability; How can companies balance innovation with responsible data stewardship? Personally, I don’t think Chinese companies care about accountability when operating in other countries; it’s simply not a priority for them.

The Future of Privacy Requires More Than Promises

rivacy isn’t just a legal requirement; it’s a foundational principle of trust. The adoption of tools like DeepSeek shows how easily convenience can overshadow caution. But as consumers, we hold more power than we realise. By demanding transparency, exploring privacy-conscious alternatives, and holding companies accountable, we can bridge the gap between the privacy we value and the actions we take.

The question isn’t whether privacy matters. It’s whether we’re ready to act decisively and reshape the standards we expect.

Let’s not just demand reform. Let’s live it.

Paul Hewett is CEO of In Marketing We Trust

Got a tip?

topics DeepSeek In Marketing We Trust Paul Hewett privacy

Share Tweet Share

Comments: 1

me 29 Jan 25

DeepSeek allows for the program to be downloaded onto an isolated server and firewalled against any intrusion, including that of the CCP – so long as your security is sufficient.

Compare that with the energy-intensive and megalitre-drinking-water-imbibing cloud-feeding data farms that are in the hands of less than a handful of people worldwide, with their own commercial interests in mind and with unfettered access to our personal lives via consumer interfacing.

DeepSeek’s open source might actually be the bulwark against the 1984 future that seems even more likely given recent elections. Its de-coupling from the cloud is probably the best privacy protection we’ll get.

User ID not verified.

---