After its January order to halt the processing of Italians’ personal data went unheeded, Italy’s data protection authority is trying a different tack: a legally ambiguous “invitation” for Internet Service Providers to take what it calls “appropriate action”—whatever that may mean by Andrea Monti
Backdrop
In late 2024, the artificial intelligence (AI) market appeared firmly under the control of American Big Tech, with little serious challenge from European rivals. That changed abruptly when Deepseek, a Chinese AI platform, burst onto the scene, delivering performance and efficiency that cast doubt on long-held assumptions about US technological superiority in the field.
Once the initial shock subsided, competitors began to cry foul, alleging that Deepseek had effectively parasitised OpenAI’s models. Meanwhile, data protection authorities across Europe launched investigations into possible breaches of privacy law. On 30 January 2025, Italy’s Garante per la Protezione dei Dati Personali ordered Deepseek to cease processing the personal data of Italian users connecting to the platform. Deepseek, asserting that it was not subject to Italian jurisdiction, ignored the order and kept its service accessible from Italy.
The Latest Move
Yesterday, the Garante’s deputy secretary-general, who also heads its department for digital networks and marketing, issued a certified email to Italian ISPs. The message included a copy of the January order and a request that providers take “every action within their competence” to address the fact that Deepseek remains accessible from Italy.
An Ambiguous—and Legally Problematic—Message
It is understandable that the Authority was displeased by Deepseek’s refusal to comply, and perhaps equally understandable that it sought to escalate the matter. A straightforward approach might have been to compel ISPs to block access to Deepseek’s site, much like Italy’s communications authority routinely does with pirate streaming platforms.
Strangely, however, rather than issuing a direct order to filter user connections, the Garante opted for an indirect and opaque approach. It framed its request as a “suggestion”—a type of act unknown to administrative law—conveyed via an internal department lacking the authority to issue binding measures.
The phrase “every action within your competence” is particularly puzzling. Network operators have no unilateral power to block access to Deepseek or any other external platform. The Internet, after all, is not a single system but a network of networks—like Venice, with many small islands linked by bridges. Without a legal order, operators cannot legally intercept all traffic to block specific connections. Doing so would compromise the confidentiality of user communications.
No Legal Basis for ISP Responsibility
Even assuming that Deepseek’s activity constitutes a breach of privacy law, the responsibility to halt illegal activity lies with law enforcement, not private actors. Only prosecutors can take urgent measures in such cases. Since the 2000 EU e-commerce directive, access providers have no general obligation to monitor traffic on their networks and are not held liable for the data that passes through, provided they do not interfere with it.
In legal terms, intervention by an ISP requires explicit authorisation. Should an operator decide to interpose itself between user and service—monitoring, filtering, or blocking connections—it risks becoming legally responsible for that interference.
Why the Digital Services Act (DSA) Doesn’t Apply
Some might argue that the 2000 directive has been superseded by newer legislation—specifically, Article 7 of the EU’s Digital Services Act, which allows providers to take voluntary measures to uphold EU law. Could this form the basis for the Garante’s “suggestion”?
Not quite. As with all EU legislation, the DSA must comply with national constitutions. In Italy, Article 15 of the Constitution protects the confidentiality of communications and stipulates that any interference requires judicial authorisation.
Thus, even under the DSA, an ISP cannot act unilaterally. Blocking traffic without an official order would constitute a breach of user privacy—potentially a criminal offence. This is why interception measures and DNS hijacking for site blocking are only carried out following a formal, justified directive from the judiciary or an independent authority.
Nor does Article 9 of the DSA provide a viable alternative. First, it still requires an explicit order from a competent authority. Second, it applies to the removal of illegal content—not the processing of personal data, which, legally speaking, is not content.
Why Not Issue a Formal Blocking Order?
Why, then, didn’t the Garante take the simpler route and issue a binding order to block Deepseek? One could speculate—perhaps flippantly—that the authority did not want to appear hypocritical: a “privacy watchdog” violating privacy.
More plausibly, the Garante knew it lacked the jurisdiction. Like all national laws, Italy’s apply only within its borders unless international agreements extend their reach.
This is a matter of jurisdiction—a core principle of international law that preserves state sovereignty and prevents legal overreach. A platform that operates from another country and is accessed by users abroad is governed by the laws of the host country, not those of the user’s location.
Deepseek has claimed—plausibly—that it does not operate in Italy. It has no registered office, permanent establishment or Italian-language interface. As such, it argues that Italian law does not apply.
Is It a Universal Crime?
Another avenue might be to argue that Deepseek is committing a criminal offence under Italian law by processing data unlawfully. Article 6 of Italy’s Penal Code allows for extraterritorial application if an offence occurs in whole or in part within Italian territory.
That might apply to online defamation, where reputational damage occurs in Italy. But it is harder to apply this logic to Deepseek. Its servers are located in the United States (the IP address for deepseek.com—104.18.27.90—is managed by Cloudflare and based in the US), and the data is transferred to China. These operations begin and end outside Italy’s borders, placing them beyond national jurisdiction.
Are ISPs Accomplices?
If the Garante is correct in deeming Deepseek’s data practices illegal, its own powers are still limited. Only the judiciary can pursue criminal cases. By notifying ISPs, perhaps the Garante aims to make them accomplices—at least in the sense of “aiding and abetting”, as described in Article 110 of the Penal Code. The logic might be: you were informed, you failed to act, and thus you share responsibility.
Yet this argument is tenuous. Even if informed, ISPs lack the legal authority to act independently and thus cannot be party to any criminal conspiracy.
A Sign of EU Legal Failure
Beyond its legal intricacies, this episode highlights a broader trend: EU states are outsourcing justice. First to independent regulators who are not part of the judiciary, and increasingly to private actors—platforms, ISPs, and “trusted flaggers”—who function as informal enforcers.
This silent shift has two worrying implications. First, it erodes the substance of law, reducing it to moral exhortation. Second, it undermines democratic accountability by handing decision-making over fundamental freedoms to unelected, often opaque entities.
Even if effective, this model of “moral suasion” amounts to a privatised, informal and potentially arbitrary justice system—where pressure replaces law, advice replaces order, and the provider stands in for the judge.
A model that may be efficient, but is dangerously far removed from the rule of law.