In a novel and probably game-changing transfer, Berlin’s information safety authority (DPA) not too long ago used the Digital Providers Act (DSA) to ask Apple and Google to take down the DeepSeek app[1] from their German shops. The authority argued that DeepSeek violates the Normal Knowledge Safety Regulation (GDPR) by unlawfully transferring consumer information to China, and used a DSA notice-and-action software to press the app shops. This motion basically makes use of a regulation designed to policeillegal on-line content material as a software to implement complicated information safety guidelines.
This case is critically essential as a result of it sits on the intersection of two of the EU’s strongest laws and raises elementary questions. Can the DSA’s “notice-and-action” system (Article 16), sometimes used for issues like hate speech or counterfeit merchandise, turn out to be a shortcut for regulators to implement the GDPR? If that’s the case, we danger turning platforms like Google and Apple into unwilling, quasi-judicial arbiters of complicated privateness disputes. This might additionally result in the fragmentation of Europe’s single market, the place an app could be deemed “unlawful” in a single nation however completely wonderful in one other, all primarily based on non-binding notices.
This text argues that this strategy is a legally problematic overreach. My evaluation makes two central factors. First, the precise GDPR violation claimed by the Berlin authority—an “unlawful information switch”—is itself extremely debatable and certain inconsistent with the European Knowledge Safety Board’s personal skilled tips. Second, whereas imposing the GDPR towards uncooperative international firms not established within the EU is a real problem, utilizing Article 16 discover of the DSA is the flawed software for the job. DSA Article 16 discover mustn’t turn out to be a shortcut for contested GDPR enforcement.As a substitute, I suggest a transparent, two-track framework as an answer:
Monitor 1 (The Default): For firms which are established within the EU or cooperate with authorities, the GDPR’s personal strong enforcement instruments must be used.
Monitor 2 (The Exception): For non-cooperative firms with no EU presence, a extra formal and binding order beneath Article 9 of the DSA (not a mere Article 16 discover) can be utilized as a final resort, making certain correct authorized safeguards and judicial evaluate.
To construct this argument, the article will proceed in three steps. First, it can clarify the related DSA instruments, distinguishing between easy “notices” and binding “orders”. Second, it can study the GDPR problem at hand, demonstrating why the “unlawful switch” declare is on skinny ice. Lastly, it can lay out the proposed two-track framework intimately as a workable answer that respects the distinct roles of each the DSA and the GDPR.
I. Policing Knowledge Safety through the DSA: Unlawful Content material, Notices and Orders
When a DPA believes a service breaches the GDPR, the orthodox route is evident: examine the controller beneath the GDPR, deploy the corrective toolbox in Article 58, and let courts evaluate the end result.
Berlin’s June 27, 2025 intervention towards the DeepSeek app took a completely new path. Unhappy by the inaction of the controller, the Berlin DPA despatched Article 16 Digital Providers Act (DSA) notices to Apple and Google, urging them to deal with the app’s retailer listings as “unlawful content material” and to think about blocking distribution in Germany as a result of DeepSeek allegedly conducts illegal worldwide transfers to China. This transfer was extraordinary and raises a collection of essential authorized questions. This Half explains what the DSA truly permits when the alleged illegality comes from the GDPR, and why notices (Article 16) differ from binding orders (Article 9).
1) Can an app that facilitates presumed GDPR information switch violations be thought of as “unlawful content material” beneath the DSA?
The shocking reply to this query might be sure, – a minimum of textually.
Article 3 (h) DSA, defining “unlawful content material”, was drafted intentionally “technology-neutral” in order that any breach of EU or nationwide regulation (consumer-protection, product-safety, data-protection, IP, and so on.) can qualify. By contemplating as “unlawful content material” “any info that, in itself or in relation to an exercise, together with the […] provision of providers” is opposite to EU legal guidelines, the DSA implies that every one actions are lined —not solely unlawful speech.
For an app-store, the app-listing web page and the binary bundle it factors to are the “info” that the shop hosts on behalf of the developer. Publishing that itemizing allows customers to obtain code that carries out the service (right here: an AI open supply chatbot in its on-line model) that performs the purported illegal GDPR transfers. As a result of the itemizing is the gateway to that illegal exercise, it could be thought of “info … in relation to an exercise not in compliance with Union regulation”. To place it merely, the difficulty right here is that the cellular app, if downloaded onto a European system, sends consumer prompts again to China (the place DeepSeek’s mannequin sits in a Chinese language cloud) for processing and this constitutes unlawful switch in line with the DPA.
As an analogy, in its L’Oréal v. eBay 2011 judgment, the Court docket of Justice held that an internet market itemizing that facilitates the sale of counterfeit items is “info” whose internet hosting can expose the platform to legal responsibility as soon as it’s conscious of the infringement. Likewise, an app-listing that facilitates illegal information exports might be thought of as “info regarding an exercise” that breaches EU regulation.
Critics might argue that an ongoing processing operation will not be “content material” in any respect, and that stretching the definition from, say, hate speech or counterfeit merchandise to information safety regulation non-compliance, dangers turning the DSA right into a catch-all enforcement shortcut. On this view, treating an app-store itemizing as a proxy for a developer’s downstream information processing would successfully deputise intermediaries to police non-obvious, post-download behaviour—past the DSA’s goal, probably at odds with the “with out prejudice” clause vis-à-vis sectoral regulation (Recital 10 DSA) and the ban on common monitoring (Article 8 DSA). That stated, the open wording (“info … in relation to an exercise”) and the legislator’s examples (see the broad record in Recital 12 DSA) don’t appear to exclude such use. The wording of Article 3 (h) thus provides regulators broad leeway, and no CJEU precedent has but narrowed it.
2) Can a data-protection authority use Article 16 notices?
The reply to this query can be optimistic. Article 16 DSA explicitly permits “any particular person or entity” to submit notices. A DPA is an “entity” – it doesn’t should be the Digital Providers Coordinator (DSC). Nothing within the DSA restricts public authorities from utilizing the abnormal discover channel. The Berlin DPA due to this fact acted inside the textual content of Article 16.
Article 16 DSA (notice-and-action) is a voluntary set off: it obliges platforms to supply mechanisms to obtain notices, to course of them diligently, and—if illegality is established—to behave. However it isn’t an enforceable order. A discover beneath Article 16 merely provides Apple and Google precise information of the DPA’s place; it doesn’t compel removing. The platforms should nonetheless take an unbiased, proportionate resolution after which inform the notifier (and the developer) what it did and why (Article 17 DSA). As soon as the shops have “precise information”, the conditional legal responsibility exemption in Article 6 DSA (ex-eCommerce Directive Article 14) falls away in the event that they “don’t act expeditiously”. That creates strain to take motion – however they continue to be free to conclude that the content material will not be unlawful after a diligent evaluation.
In distinction, Article 9 DSA empowers “related nationwide judicial or administrative authorities” to problem a binding order to behave towards a number of particular objects of unlawful content material, with strict type necessities (authorized foundation; causes; redress…). If the Berlin DPA wished a compulsory takedown, it might have tried to acquire an Article 9 order.[2] Non-compliance with such an order would expose Apple and/or Google to danger of fines of as much as 6 % of world turnover.
Takeaway: Notices are non-binding; orders bind—and should be exact, vital, and reviewable.
4) Basic-rights guardrails and proportionality
Past the formal necessities of orders beneath Article 9 DSA, the European Court docket of Justice (CJEU) has persistently emphasised the rules of proportionality and freedom to conduct a enterprise. A broad demand to delist a whole app, notably when the underlying authorized principle is contested, sits uneasily with these requirements. The Court docket’s jurisprudence on blocking measures, comparable to within the UPC Telekabel Wien judgment, stresses that intermediary-focused restrictions should benecessary, focused, and efficient. Delisting an app primarily based on a contested information privateness principle, with out a binding order and the judicial safeguards of a proper course of, dangers inflicting collateral harm to lawful expression, competitors, and innovation.
* * *
As a conclusion to this primary half: Recital 10 DSA says the GDPR governs private information safety. The DSA is about middleman due diligence; it doesn’t rewrite GDPR or shortcut GDPR’s procedural safeguards. The EDPB has repeatedly known as for coherence throughout the GDPR and the brand new digital legal guidelines, stressing that personal-data questions should stay grounded in GDPR’s framework.
A DPA can use Article 16 DSA to flag an app as “unlawful content material” in precept, however that doesn’t create a binding obligation on Apple or Google to delist. The place the case relies on disputed GDPR theories, the legally appropriate path is an Article 9 DSA order by the competent DSA authority/court docket. Utilizing Article 16 as a de facto enforcement shortcut dangers blurring the DSA/GDPR boundary the legislature tried to maintain distinct.
With the DSA guardrails in view, the following query is whether or not Berlin’s underlying GDPR principle holds water in any respect.
II. The GDPR angle: why the “unlawful switch” declare is on skinny ice
This Half exams the authorized premise that underpinned Berlin’s discover: that DeepSeek’s processing entails an illegal worldwide switch to China (GDPR Article 46(1)).
The core of the difficulty hinges on the technical definition of a “switch”. Not each cross-border information stream is a “switch” within the particular sense of GDPR’s Chapter V. To qualify, information usually needs to be despatched by an entity within the EU to a different entityoutside the EU.
The GDPR doesn’t outline “switch”. To make clear what falls beneath Chapter V, the EDPB’s Tips 05/2021 (closing) undertake a three-part, cumulative check: a “switch” happens the place
1) A controller or a processor (“exporter”) is topic to the GDPR for the given processing.
2) The exporter […] makes private information, topic to this processing, out there to a different controller, joint controller or processor (“importer”).
3) The importer is in a 3rd nation, […].
DeepSeek is reportedly operated by a controller (Hangzhou DeepSeek AI Co.) exterior the EU, presents providers to EU customers, and processes their information—i.e., it’s topic to Article 3(2). On these details, Chapter V will not be engaged by the preliminary assortment: there isn’t a EU-based exporter disclosing information to China. Storing information in China per se will not be a “switch” beneath Chapter V if the information had been collected immediately from EU customers by a third-country controller that’s itself topic to the GDPR through Article 3(2). That is precisely the state of affairs the EDPB makes use of for instance the boundary between existence of a Chapter V switch and never. Tips 05/2021, Instance 1 describes an organization exterior the EEA that targets EU customers and collects their information immediately. The EDPB states unambiguously: “This doesn’t represent a switch of non-public information … Chapter V doesn’t apply to this case.”
None of this immunises DeepSeek from the GDPR. As a result of DeepSeek “presents providers to information topics within the Union”, it’s caught by Article 3(2). Meaning it should nonetheless adjust to Article 5 rules (lawfulness, equity, goal limitation, and so on.); Article 6 rules; Transparency duties (Articles 12–14); Obligation to call an Article 27representative; Article 32 safety necessities; and so on. The precise problem raised by the Berlin DPA issues the truth that “Chinese language authorities have in depth entry rights to non-public information held by Chinese language firms” and the concern that they may thus request European private information collected by Deepseek. If requested, it’s possible that Deepseek may have no authorized foundation to take action: Deepseek couldn’t, for example, use the “compliance with a authorized obligation to which the controller is topic” Article 6 GDPR authorized foundation, as a result of Recital 45 GDPR could be very clear in saying that the authorized obligation must be solely beneath “Union or Member States Regulation” (see additionally the EDPB place on the Cloud Act).
If the Berlin authority thus believes Deepseek violates the GDPR, it ought to have defined to Apple and Google the exact causes it believes there’s such a violation. It might have finally invoked Articles 5, 6, 24, 32 or others – however actually not Chapter V which is the one GDPR Chapter that doesn’t apply to Deepseek on the present setting.
As a result of DeepSeek reportedly has no EU institution, there isn’t a lead supervisory authority and no one-stop-shop. Any supervisory authority could be competent beneath Articles 55 and 56 GDPR for violations affecting information topics in its territory, topic to cooperation duties. That route lets DPAs open GDPR circumstances that match Article 3(2)—however it doesn’t magically convert alleged GDPR breaches into switch infringements if the EDPB standards aren’t met.
III. Maintain the lanes clear: GDPR for GDPR, DSA for DSA (with a slim, distinctive bridge)
This Half turns the evaluation right into a sensible framework—when to remain within the GDPR lane and when a DSA order could also be justified as ultima ratio.
The Berlin DPA’s transfer is far-reaching as a result of it reimagines Article 16 DSA—a discover mechanism for particular unlawful objects—as an enforcement shortcut for controversial GDPR switch theories. That strategy strains a number of guardrails:
The EDPB’s switch check (Tips 05/2021): direct assortment by a non-EU controller topic to Article 3(2) will not be a Chapter V “switch”. Storage in China might increase substantive GDPR issues, however not per se Article 46 violations absent an EU-to-third-country disclosure.
Article 16 DSA vs Article 9 DSA: notices usually are not orders. In troublesome authorized questions (like takedowns for potential GDPR violations), Article 9 orders are the right channel for binding, reviewable measures towards particular objects.
Basic-rights and proportionality: broad de-listing primarily based on privateness theories—with out a binding order—dangers overshoot.
If each alleged worldwide switch deficiency beneath GDPR turned a DSA “unlawful content material” takedown request to platforms, we’d see systemic overreach: the DSA is an intermediary-liability framework, not a shadow privateness tribunal. DPAs might hearth off inconsistent DSA Article 16 notices, placing platforms within the cross-hairs of divergent theories about “unlawful content material” rooted in GDPR.
It is very important emphasize, nevertheless, that the Berlin DPA didn’t leap straight to the DSA. As its press notice recounts, on 6 Might 2025 the Commissioner requested DeepSeek to take away its German-store apps voluntarily, stop the allegedly illegal transfers to China, or deliver any third-country flows into compliance. It is just when, in line with Berlin, the corporate didn’t comply, that the Commissioner invoked Article 16 DSA on 27 June 2025.
Whereas the Berlin DPA’s declare that his was some sort of “final resort” could be disputed, particularly taking into account that, by the point they issued the Article 16 DSA discover, DeepSeek had already named a authorized consultant within the EU[3]and the Berlin DPA might have tried this avenue earlier than issuing the discover, this escalation spotlights a essential enforcement hole that regulators repeatedly face: easy methods to implement the GDPR towards firms with no EU institution that areunwilling to cooperate.
Certainly, this isn’t a brand new drawback. The Clearview AI saga is the archetype of this problem. Regardless of a number of DPAs throughout Europe issuing strong findings, bans, and fines towards Clearview AI for illegal information processing, sensible enforcement stalled. Regulators confronted vital challenges, together with Clearview AI’s refusal to nominate an EU consultant beneath Article 27 GDPR and its lack of any bodily presence or belongings within the EU to leverage. This jurisdictional loophole makes it extremely troublesome for DPAs to compel compliance, as they lack the direct energy to grab belongings or implement fines throughout borders. It’s exactly this enforcement hole that calls for a better answer—one which distinguishes between cooperative and non-cooperative actors.
Acknowledging that hole is essential. It’s exactly why I suggest a two-track framework.
Monitor 1 (the default): EU presence or cooperation
If the service has an EU institution (or, although non-established, cooperates and undertakes to repair points), then GDPR enforcement must be the first route: corrective orders, fines, and, the place warranted, suspensions beneath the safety of Chapter VIII GDPR. The corporate itself can implement cures (e.g., Article 27 consultant; transparency; lawful bases; safety; …). Following a direct order primarily based on related information safety legal guidelines an organization might additionally resolve itself to droop or withdraw its app from internet hosting shops. That is what DeepSeek reportedly did in Italy, following the Garante’sformal, pressing order on 30 January 2025 imposing a direct limitation of processing on DeepSeek (see the press discover and the order textual content) but in addition in South Korea, the place Deepseek initially eliminated its app, then resumed its servicesafter agreeing to implement corrective measures really useful by the nation’s privateness watchdog.
An Article 16 discover would possibly after all nonetheless be filed when the measures usually are not applicable, however platforms must be cautious of delisting till there’s a binding DSA order (Article 9).
Monitor 2 (the exception): No EU presence and non-cooperation
When a non-EU service topic to Article 3(2) refuses to interact, and/or all GDPR avenues (together with makes an attempt to achieve a consultant beneath Article 27 and established GDPR cooperation mechanisms) have failed, a DSA route might turn out to be a last-resort compliance lever—however the appropriate software is a binding, appealable Article 9 DSA order by the competent authority, drafted with the specificity, necessity, proportionality and redress necessities the DSA and EU Regulation require. That preserves due course of and ensures judicial evaluate.
This calibrated strategy preserves the DSA’s construction and GDPR’s integrity, avoids regulatory overreach, and respects the one market. It additionally retains platforms from being drafted into quasi-privacy enforcement the place the lawfulness will not be “manifest.” When privateness is the alleged illegality, the default discussion board ought to stay privateness regulation—except and till a lawful DSA order says in any other case.
Publish Scriptum 1: The German press has reported that Google instructed Berlin’s DPA it won’t take motion “for now”. The creator has been unable to seek out extra info on the precise content material of Google’s or Apple’s response.
Publish scriptum 2. The EDPB’s Tips 3/2025 on the DSA–GDPR interaction (launched on 12 September 2025, after submission of this text) don’t tackle the core questions on this piece. The draft focuses on making certain that DSA workflows (e.g., notice-and-action) themselves adjust to the GDPR. It will be useful if the ultimate tips clarified these questions.
Publish scriptum 3. Whereas this piece was beneath blind peer evaluate, Oliver Schmidt-Prietz revealed a German-language article on the identical matter in “Pc und Recht”. Owing to timing, I used to be unable to take this later publication into consideration.
[1] DeepSeek is a high-profile generative-AI chatbot (praised for robust efficiency and low-cost, partly through open-source releases) usable bothonline and as a cellular app in Apple’s App Retailer and Google Play. Tts fast uptake raised a number of GDPR issues as we’ll present in a forthcoming article. The Berlin DPA’s motion focused solely the app-store listings—not internet use or downloading/utilizing the open-source model from the online.
[2] Article 9 DSA permits “related nationwide judicial or administrative authorities” to problem binding orders to intermediaries to behave towards specificillegal content material, however the DSA neither creates new underlying powers nor designates which authority that’s; these powers should exist underapplicable Union or nationwide regulation and Member States resolve who might problem such orders. In Germany, the Digital Providers Coordinator (BNetzA)states it doesn’t decide illegality or order removals, however forwards complaints to competent our bodies; the Digitale-Dienste-Gesetz (§ 12 DDG)allocates DSA duties throughout authorities and doesn’t usually empower DPAs to problem Article 9 orders. I’m not a German-law specialist; given the present framework’s complexity and obvious gaps, I don’t opine right here on whether or not the Berlin DPA (or, certainly, any of the opposite 16 DPAs in Germany) might have issued an Article 9 order itself or ought to as an alternative have sought a court docket order.
[3] DeepSeek appointed an official EU consultant beneath Article 27 on 28 Might 2025, a full month earlier than the Berlin DPA’s discover. The appointment adopted the Hellenic DPA’s Interim Ruling 18/2025 (issued 21 Might 2025) ordering DeepSeek to nominate such an EU consultant. Though the official certification of this authorized consultant solely intervened on the 4th of July 2025, this appointment created a identified formal channel for engagement beneath the GDPR that doesn’t seem to have been utilized earlier than the Berlin authority escalated to a DSA discover.
Theodore Christakis is Professor of Worldwide, European and Digital Regulation at College Grenoble Alpes (France), Director of Analysis for Europe with the Cross-Border Knowledge Discussion board, Member of the Board of Administrators of the Way forward for Privateness Discussion board and a former Distinguished Visiting Fellow on the New York College Cybersecurity Centre. He’s Chair on AI Regulation with the Multidisciplinary Institute on AI (AI-Regulation.com).
![[CFP] The Legacy of the Big Bang EU Enlargement: Lessons Learned and Future Perspectives](https://i2.wp.com/assets.pubpub.org/dszqce38/favicon-61724872708457-01724931428186.png?w=350&resize=350,250&ssl=1)
