The September warning from the National Cyber and Information Security Agency shook the Czech public debate on data protection. On September 3, 2025, NÚKIB issued a document that bluntly described the transfer of system and user data to the People's Republic of China or entities on its territory as a security threat. According to the office, it is necessary to respond to this threat immediately. This step is unprecedented, as it is the first time that the Czech state has openly stated that it perceives the Chinese environment as structurally untrustworthy. In other words, sending data to China risks it being handed over to Chinese state authorities.

According to NÚKIB materials, the reasons are clear. Chinese laws allow state authorities to compel private companies to cooperate in espionage activities, even in the special administrative regions of Hong Kong and Macau. "The legal environment of the People's Republic of China is untrustworthy from the perspective of the Czech Republic's security," writes the Czech authority without diplomatic niceties. In other words, the Chinese state can request data from any local company at any time—and the company does not dare to resist. This is not paranoia, but a simple fact enshrined in the laws of the Middle Kingdom.

Although business representatives warn against "excessive hysteria" in such cases, the Security Information Service has been warning for several years about growing technological dependence on China. This is almost certainly a deliberate strategy on the part of Beijing. Prague lacks a consistent long-term stance towards Beijing. We heavily regulate or ban some Chinese products, while welcoming Chinese investment. It is a contradictory approach: the state talks about threats to sovereignty, yet continues to support business models dependent on Chinese supplies. There is some truth in this—and that is precisely why the warning seems so provocative. It forces Czech companies and institutions to face the truth. Either we continue in our comfortable dependence, or we pay extra for safer alternatives.

The Czech debate is inevitably linked to the European trend. In Germany, authorities have openly cracked down on the Chinese company DeepSeek, which offers a popular AI application. "DeepSeek transfers users' personal data to China in violation of European law," said Meike Kampová, Berlin's data protection officer. "I have therefore informed Google and Apple, the operators of the largest app stores, of these violations and expect them to review the possibility of blocking the app in the near future." Italy went even further and banned the app at the beginning of the year. All this because of suspicions that the Chinese authorities could gain access to sensitive data of European citizens.

DeepSeek’s silence may be even worse than an admission. The company has not responded to calls from regulators, has not provided documentation on where it processes data, and ignores questions about compliance with personal data protection. In an environment where every European company must have sophisticated data protection processes in place, this attitude comes across as a slap in the face. Some might argue that this is just another episode in the endless trade war between the West and China. However, the DeepSeek case points to deeper problems. Chinese law does indeed create an obligation to cooperate with the regime. So if DeepSeek wanted to operate completely transparently and according to European rules, it would be in conflict with the law of its home country. And that is an unsolvable dilemma. That is why the Germans and Italians are saying nothing other than that Chinese AI applications simply cannot exist in Europe in the long term. Either they become completely independent, or they cease to exist.

The situation is even more complicated for the Czech Republic. We do not have our own strong ecosystem of AI tools, yet we warn against Chinese ones. To an ordinary user, this may seem hypocritical: the state prohibits using an application but offers no replacement. And if a replacement does exist, it is more expensive, slower, and less attractive. This is a reality that politicians often conceal. Instead of openly admitting that security comes at a price, they speak in generalities about the "need to protect data." Citizens then only hear the ban, not the solution.

But to be fair, threats from China are not just hypothetical. Just look at the United States, where authorities last year accused Chinese hackers of a massive attack on telecommunications companies, including AT&T and Verizon. According to former FBI Director Christopher Wray, the attack was "the most significant cyber espionage campaign in China's history." Last year, the US Treasury Department also accused Beijing of hacking into its systems and stealing some unclassified documents.

In the Czech Republic, there is therefore an increasingly vocal debate about whether we are being too soft. When the Americans are sanctioning Chinese companies and the Italians and Germans are withdrawing applications from circulation, wouldn't it be appropriate to impose blanket bans on critical infrastructure, including the exclusion of Chinese suppliers from public contracts? This is likely to be opposed by the lobby of companies that profit from cheap Chinese solutions. The result is a classic Czech compromise—we will warn, but we will not ban. In the field of cybersecurity, however, a half-hearted solution may be worse than none at all.

We need to ask ourselves an uncomfortable question: are we prepared to sacrifice convenience, cheaper services, and rapid technological growth in exchange for greater security and sovereignty? Some would answer yes, succinctly and decisively. Others, however, openly admit that many projects simply cannot do without Chinese suppliers. Many IT companies are unable to eliminate all Chinese technologies because no one will pay for the expensive alternatives (if they even exist). This cynicism is understandable, but also alarming. It means that we are consciously putting ourselves in a position of being hostages to Chinese technologies.

The whole problem can be summed up in one phrase: digital colonization. China has long since stopped exporting only cheap phones and cameras. It also exports its standards, its laws, and its vision of the state and its absolute control over data. If European countries, including the Czech Republic, allow key systems and applications to become dependent on Chinese solutions, then we are voluntarily surrendering part of our sovereignty. Digital colonization is more insidious than historical colonization: invisible, painless, and not accompanied by armies. It comes with applications, cloud services, and investments. And when we realize that data is the new oil, it becomes clear who will control whom.

The DeepSeek case and the September warning from NÚKIB thus reveal something that is not often discussed in Czechia. Technological security does not come for free, and independence from China requires not only political courage but also financial investment. If we are not willing to make these investments, all calls for data protection will become empty gestures. Ultimately, we will have to choose between security and cheap technology. There is no third option. And it is this choice that will determine whether the Czech Republic becomes a victim of digital colonization or whether it manages to maintain control over its own future.