平靚正 (read as peng! leng! zeng!)

That’s a common a saying in Cantonese that roughly translates to value for money. (If you really need to know, it literally means Cheap! Nice! Good!)

And that’s probably some DeepSeek offers that the other AI companies can’t match.

It has one of the highest performance scores across various benchmarks, rivaling top AI firms like OpenAI (ChatGPT), Anthropic (Claude) and Google (Gemini).

It’s accessible to anyone with an internet, regardless if you’re using it on a laptop, desktop or mobile device!

Best part… it’s free!

Sounds too good to be true?

But what if I told you it’s also feeding your information to a foreign government?

Sounds like a conspiracy theory, doesn’t it?

Except this time, it isn’t.

In the race to integrate AI into our workflows, many corporate leaders have embraced tools like DeepSeek — a powerful, multilingual AI chatbot. I mean, why not? It’s fast. It’s free. It sounds smart.

But that surface-level convenience can be misleading.

Behind the slick UI and lightning-fast responses lies a question that every responsible leader needs to ask:

Is your business data safe from Chinese government access?

Let’s take a look under the hood.

(Note: This article specifically refers to the web-based version of DeepSeek, not the on-device or offline deployment.)

AI in the palm of your hands.

The Hidden Cost Of Convenience

DeepSeek has gained rapid popularity for its ability to mimic the capabilities of ChatGPT. For business leaders experimenting with AI, it seems like a harmless alternative.

But here’s the part most overlook:

DeepSeek’s backend is rooted in China. And in China, the concept of data privacy operates under a different rulebook.

Unlike platforms governed by Western regulations like GDPR or HIPAA, companies operating in China must comply with laws that compel cooperation with the state. That includes turning over encryption keys, user data, and system access when requested.

Translation? If Beijing asks, DeepSeek must hand over your data. No red tape. No resistance.

You can’t escape the law.

The Legal Mandates You Can’t Ignore

Most of us know the important of legal documents, but most of us (especially the non-lawyers), also dread going through them.

Let me try to keep this simple enough.

Here are the key laws you need to know—and why they matter to you:

• National Intelligence Law (2017): Requires all organizations and citizens to support and cooperate with national intelligence efforts. Article 7 is the big one here. Bottom line? No company in China can say ‘no’ to the government. (Source)

• National Security Law (2015): Mandates all information systems to be “secure and controllable,” effectively granting the government authority to demand access to company systems. (Source)

• Cybersecurity Law (2017): Empowers public security agencies to demand technical support (read: source code and access) (Source)

• Data Security Law (2021): Prohibits companies from sharing data with foreign entities without Beijing’s approval. (Source)

• Personal Information Protection Law (PIPL, 2021): China’s version of GDPR. While it sounds like a privacy safeguard, it includes broad exemptions for state authorities. (Source)

In short, Chinese companies have no legal grounds to deny government access.

Even if DeepSeek wanted to protect your data, it can’t.

Information that can be dangerous in the wrong hands.

What Deepseek Really Collects

According to DeepSeek’s own privacy policy, the tool collects three primary types of data:

• Direct user input – names, emails, and the specific prompts or queries you type.

• Automated metadata – details like IP addresses, your device model, and geolocation.

• Third-party integrations – usage data collected through connected analytics or tracking tools.

Now imagine the implications for your business:

• Strategy discussions: For example, prompts related to quarterly growth planning or restructuring initiatives.

• Sensitive prompts: Such as inquiries into internal HR issues, potential mergers, or compliance gaps.

• Confidential projects: Including product roadmaps, upcoming campaign plans, or pricing model experiments.

All that information lives on servers subject to Chinese jurisdiction.

If we read into the laws outlined in the previous section, the 1+1 basically means this:

Their policy openly states that data may be used to “comply with our legal obligations” or serve the “public interest.” That’s not corporate speak. That’s legal cover for government surveillance.

Is this a cybersecurity threat?

Technical Evidence: A Pipeline To China Mobile

This isn’t just a legal issue. It’s a technical one too.

In late 2024, cybersecurity firm Feroot Security discovered that DeepSeek’s code contains hidden lines designed to transmit user data directly to CMPassport.com — an online portal owned by China Mobile, a state-run telecom giant.

To put that in context:

• China Mobile was banned from operating in the U.S. in January 2021 after the Federal Communications Commission (FCC) determined it posed national security risks. As of the time of writing, the ban remains in effect.

• This isn’t data potentially being shared. This is data being directly routed to a government-owned infrastructure.

It suggests something far more aggressive than we’ve seen before. A built-in capability for real-time surveillance.

Not a request. Not a warrant. Just a technical handshake across the wire.

Everyone around the world is going to be affected.

Global Reach. Global Risks.

Many assume these risks only apply to Chinese citizens.

Not so.

If your team is using DeepSeek from Malaysia, Singapore, Australia, or the U.S., your data is still processed on China-based servers. And those servers operate under Chinese laws.

Here’s the real danger:

Your company might be unknowingly exposing internal IP, market insights, employee information, or legal discussions to a foreign government with no transparency or recourse.

Even your intent to comply with Western privacy laws may be rendered moot by the infrastructure of the tools your team is using.

Is this something the leadership should even bother about?

Why This Should Matter To Corporate Leaders?

Let’s skip the fear-mongering and get pragmatic.

As a corporate leader, your job isn’t just about driving growth—it’s about safeguarding the very foundations that support it: your data, your people, and your strategic thinking.

You’re not just responsible for P&L. You’re accountable for risk management, stakeholder trust, and data governance. And in an era where digital tools are increasingly embedded in every department, these responsibilities take on a whole new weight.

You wouldn’t allow your CFO to manage your books on an app hosted in an adversarial regulatory environment. Why would you let your marketing team, your sales force, or your innovation lab run on tools that export your thinking to state-controlled infrastructure?

This isn’t a fringe concern. It’s a governance issue. A brand reputation issue. A potential breach of fiduciary duty.

This isn’t about politics. It’s about data control. And ultimately, leadership accountability.

Is this some western propaganda?

Let’s Address the Elephant in the Boardroom

That’s a fair question.

Some might argue this entire narrative is exaggerated, part of a larger geopolitical agenda to discredit rising AI competitors from China. After all, Chinese platforms aren’t the only ones collecting massive volumes of data — so do American giants like Google, Meta, and Microsoft.

And yes, some Western countries have their own intelligence-gathering mechanisms and surveillance programs. So, who are we to judge?

But here’s the difference:

In China, compliance with state requests isn’t optional. The legal structure doesn’t just permit government access — it mandates it. And the technical evidence suggests the infrastructure is purposefully built for continuous surveillance.

So while healthy skepticism is encouraged, it shouldn’t distract us from the very real and provable risks at hand.

You don’t need to buy into fear. You just need to understand the facts. And act accordingly.

Leaders need to take the lead on this.

What Smart Leaders Should Do Next

So, what now?

Here are three immediate actions:

#1 Audit your AI stack.

• Identify which tools your teams are using.

• Check where those tools are hosted.

#2 Set clear AI usage policies.

• Limit sensitive work to platforms hosted in trusted jurisdictions.

• Use enterprise accounts with data control features.

#3 Educate your team.

• Most employees have no idea what happens behind the scenes.

• Make data privacy part of your digital literacy programs.

At Radiant Institute , we don’t just talk about AI enablement. We teach it, with practical tools and principles that protect your business. One of our cornerstone modules, the AI Risk & Responsibility Guide, walks teams through 9 critical principles to stay smart, safe, and strategic with AI.

From mitigating hallucinations and guarding against deepfakes, to preventing privacy breaches and over-automation, we train your leaders and teams to think critically about AI risk exposure. These aren’t just nice-to-knows; they’re essentials for any modern organization.

And unlike platforms that rely on questionable infrastructures, our in-house AI assistants are built with privacy-first design and enterprise-grade control.

We know first-hand that control isn’t a luxury. It’s a leadership responsibility.

The thought before pressing enter…

Final Thought: A Prompt To Ponder

“The cost of convenience is often paid in hindsight.”

If you discovered that your internal prompts, strategic plans, and confidential team input were quietly routed through the digital backdoors of a foreign government…

Would you keep using that tool?

That’s the question every corporate leader should be asking before the next AI integration decision.

The answer might determine whether you’re building a smarter organization… or unintentionally outsourcing your intelligence.

Read Up What Brought Us Here

References

1. DeepSeek Privacy Policy – A full overview of what data DeepSeek collects and how it may be used under Chinese jurisdiction: https://cdn.deepseek.com/policies/en-US/deepseek-privacy-policy.html
2. Feroot Security Report – An investigation by Feroot Security revealed DeepSeek’s hidden code transmitting user data directly to a China Mobile-owned server: https://www.feroot.com/news/the-independent-feroot-security-uncovers-deepseeks-hidden-code-sending-user-data-to-china
3. National Intelligence Law – Outlines mandatory cooperation between Chinese citizens/companies and the state’s intelligence efforts: https://en.wikipedia.org/wiki/National_Intelligence_Law_of_the_People%27s_Republic_of_China
4. Cybersecurity Law – Grants the Chinese government authority to demand source code and technical support from tech companies: https://en.wikipedia.org/wiki/Cybersecurity_Law_of_the_People%27s_Republic_of_China
5. Data Security Law – Restricts foreign data transfers and enforces domestic storage requirements for sensitive information: https://en.wikipedia.org/wiki/Data_Security_Law_of_the_People%27s_Republic_of_China
6. Personal Information Protection Law (PIPL) – China’s privacy law, with exemptions that allow state access when deemed necessary: https://en.wikipedia.org/wiki/Personal_Information_Protection_Law_of_the_People%27s_Republic_of_China
7. China PIPL Analysis – A breakdown of how PIPL governs data localization and what it means for international compliance: https://captaincompliance.com/education/china-pipl-data-localization/
8. Select Committee Report – A U.S. House Committee analysis highlighting DeepSeek’s data handling and privacy concerns: https://selectcommitteeontheccp.house.gov/sites/evo-subsites/selectcommitteeontheccp.house.gov/files/evo-media-document/DeepSeek%20Final.pdf
9. News Article – ABC News coverage of DeepSeek’s data transmission pathways and their potential implications: https://abcnews.go.com/US/deepseek-coding-capability-transfer-users-data-directly-chinese/story?id=118465451