The Italian Data Protection Authority charges EUR 2 million fine to Alpha Exploration Co. Inc., provider of the social network Clubhouse

With Injunction Order No. 377 of October 6, 2022, the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali—“Garante”) sanctioned Alpha Exploration Co. Inc. (“Alpha Exploration”) for providing the Clubhouse service in breach of the GDPR (Regulation EU 2016/679).

The social network Clubhouse

Clubhouse is a social network available to the public since 2020, through an app operated by the U.S.-based company Alpha Exploration that has no establishment in the EU. The social network is based on voice interactions that take place in conversation rooms, namely:

  • Users can choose to open room on particular subjects or access other people’s rooms as listeners.
  • Since January 2022, through the new Clips & Replays function, users can also record and store parts of conversations and share the recordings with third parties.
  • Clubhouse recommends people with whom users may have common interests or connections. Users can also synchronize the address books of their devices with Clubhouse to connect with people they know or to invite their friends to join the social network.

Background

The proceedings began in 2021 following press reports of several issues concerning the processing of personal data in the context of the Clubhouse social network. The Garante also received a claim highlighting critical issues related to security, exercise of data subjects’ rights, the controller’s EU representative, profiling activities, and retention of personal data.

Alpha Exploration sustained that the Garante lacked jurisdiction and the GDPR was not applicable to provision of the social network because Alpha Exploration did not, at least originally, offer its services in the European Union. The company’s choice to offer its services only in the United States was said to justify the fact that the information required under Article 13 GDPR was not presented in the relevant privacy policy until August 4, 2021.

It was only in the spring of 2021 that Alpha Exploration, having taken note of Clubhouse’s widespread use globally (90,000 monthly active users in Italy in August 2021), decided to initiate a GDPR compliance program. The company reported that it supplemented the privacy policy for users in the European Union, including with regard to the processing of non-users’ data collected from the address books of users’ devices, specifying, inter alia, the legal basis for processing and data retention criteria. Alpha Exploration also appointed a representative in the European Union under Article 27 GDPR.

The findings of the Garante

The Garante determined that the conditions for applicability of the GDPR set out in Article 3(2)(a) GDPR had been met, since Clubhouse offered its services to data subjects in the European Union, as demonstrated by the high number of European active users in 2021. The Garante claimed its jurisdiction on the basis of Article 55(1) GDPR, because the Clubhouse service was managed by a company that had no establishment in the European Union and it affected data subjects in more than one Member State. As a result, each data protection authority based in a Member State affected by the processing would have jurisdiction to investigate Alpha Exploration’s provision of the Clubhouse service.

On the merits, upon completing the investigation, the Garante posited that Alpha Exploration committed several violations of the GDPR in providing the Clubhouse service, which can be summarized as follows:

  • Unlawful processing: according to the Garante, Alpha Exploration relied on inappropriate legal bases to justify a number of different processing activities. In particular, consent for direct marketing was collected using opt-out mechanisms (which are not allowed).

Additionally, the indiscriminate recording of every conversation in every room was found to be too invasive of data subjects’ rights to be based on the company’s legitimate interest in monitoring possible violations of Clubhouse’s guidelines.

Most importantly, the Garante declared that profiling aimed at showing users personalized content and suggestions could not be based on the need to execute the contract. Indeed, a user could use the service even without providing relevant information for profiling (namely, the user’s interests or any posted content). The Garante also stated that such processing could have led to the creation of a profile different from the one perceived by the data subject (since profiling modalities and logic were not made explicit in the privacy policy), so that participation in the life of the community could have been unduly influenced.

  • Breach of information obligation: according to the Garante, Alpha Exploration violated Articles 5(1)(a) and (e), 12(1), and 13 GDPR due to failure to provide any information about processing until August 4, 2021. Even after that date, the Garante challenged how complete and clear the information notice published was, noting that it lacked information on several aspects (e.g., automated decision-making processes, profiling, data retention periods, the representative in the EU). Additionally, the Garante highlighted inconsistencies between the privacy notice and the terms of service regarding the Clips & Replays function, which resulted in an unclear description of the processing.

Alpha Exploration also failed to provide non-users with information on the processing of their telephone numbers, in violation of Article 14 GDPR. The Garante observed that simply including this information in the privacy policy was not sufficient to comply with Article 14 GDPR obligations, because the information notice is rarely viewed by persons who are not users of the service.

  • Failure to carry out a DPIA: the Garante found that Alpha Exploration violated Article 35 GDPR because it did not carry out a DPIA (Data Protection Impact Assessment) with regard to the profiling of users. Indeed, as provided by the Garante with resolution No. 467 of October 11, 2018,[1] profiling data subjects on the basis of, inter alia, their preferences, interests, or behavior requires a DPIA. The Garante also considered a DPIA necessary because the data processed could include the data of minors.
  • Failure to appoint a suitable EU representative: according to the Garante, Alpha Exploration violated Article 27(4) GDPR by failing to appoint a representative with the appropriate duties and powers. The information notice referred to a webpage, where the representative was defined as a “facilitator.” According to the Garante, the representative could not be understood as a mediator or facilitator (e., a subject who brings together two or more parties to facilitate the achievement of an objective, without being bound to any of them) because the representative must act on behalf of the controller in fulfilling the obligations arising from the GDPR. Furthermore, the privacy policy provided that data subjects should send every communication to both the representative and the data controller, thus depriving the designation of a representative in the European Union of any meaning.

The measures adopted by the Garante

Based on the above, the Garante ordered Alpha Exploration to:

  1. Stop any further processing carried out for direct marketing purposes—profiling aimed at showing users personalized content and suggestions—as it was based on unsuitable legal grounds.
  2. Pay an administrative fine of EUR 2 million;
  3. Increase the transparency of processing by supplementing the privacy notice and the terms of service and by including a link to a specific privacy notice in the invitation to join the community sent to non-users;
  4. Conduct a DPIA;
  5. Inform the Garante of the implemented measures within 30 days of receipt of the order.

This Clubhouse decision is yet more evidence that the Garante is paying a great deal of attention to multinational companies operating in Italy and providing innovative services (such as social-network and communication services). In addition, while the administrative fine is in line with recent trends, it is worth noting that the company has been required to implement corrective measures and to provide details on them within 30 days. As usual, the hardest part of being subject to an investigation and dealing with a decision from the Garante is not payment of the penalty, but the effort the company must put into implementing the required remedies in a short period of time.

 

[1] Providing the list of processing activities requiring a DPIA pursuant to Article 35(4) GDPR.

Back
Follow us on