The social network Clubhouse
Clubhouse is a social network available to the public since 2020, through an app operated by the U.S.-based company Alpha Exploration that has no establishment in the EU. The social network is based on voice interactions that take place in conversation rooms, namely:
- Users can choose to open room on particular subjects or access other people’s rooms as listeners.
- Since January 2022, through the new Clips & Replays function, users can also record and store parts of conversations and share the recordings with third parties.
- Clubhouse recommends people with whom users may have common interests or connections. Users can also synchronize the address books of their devices with Clubhouse to connect with people they know or to invite their friends to join the social network.
The proceedings began in 2021 following press reports of several issues concerning the processing of personal data in the context of the Clubhouse social network. The Garante also received a claim highlighting critical issues related to security, exercise of data subjects’ rights, the controller’s EU representative, profiling activities, and retention of personal data.
The findings of the Garante
The Garante determined that the conditions for applicability of the GDPR set out in Article 3(2)(a) GDPR had been met, since Clubhouse offered its services to data subjects in the European Union, as demonstrated by the high number of European active users in 2021. The Garante claimed its jurisdiction on the basis of Article 55(1) GDPR, because the Clubhouse service was managed by a company that had no establishment in the European Union and it affected data subjects in more than one Member State. As a result, each data protection authority based in a Member State affected by the processing would have jurisdiction to investigate Alpha Exploration’s provision of the Clubhouse service.
On the merits, upon completing the investigation, the Garante posited that Alpha Exploration committed several violations of the GDPR in providing the Clubhouse service, which can be summarized as follows:
- Unlawful processing: according to the Garante, Alpha Exploration relied on inappropriate legal bases to justify a number of different processing activities. In particular, consent for direct marketing was collected using opt-out mechanisms (which are not allowed).
Additionally, the indiscriminate recording of every conversation in every room was found to be too invasive of data subjects’ rights to be based on the company’s legitimate interest in monitoring possible violations of Clubhouse’s guidelines.
- Breach of information obligation: according to the Garante, Alpha Exploration violated Articles 5(1)(a) and (e), 12(1), and 13 GDPR due to failure to provide any information about processing until August 4, 2021. Even after that date, the Garante challenged how complete and clear the information notice published was, noting that it lacked information on several aspects (e.g., automated decision-making processes, profiling, data retention periods, the representative in the EU). Additionally, the Garante highlighted inconsistencies between the privacy notice and the terms of service regarding the Clips & Replays function, which resulted in an unclear description of the processing.
- Failure to carry out a DPIA: the Garante found that Alpha Exploration violated Article 35 GDPR because it did not carry out a DPIA (Data Protection Impact Assessment) with regard to the profiling of users. Indeed, as provided by the Garante with resolution No. 467 of October 11, 2018, profiling data subjects on the basis of, inter alia, their preferences, interests, or behavior requires a DPIA. The Garante also considered a DPIA necessary because the data processed could include the data of minors.
The measures adopted by the Garante
Based on the above, the Garante ordered Alpha Exploration to:
- Stop any further processing carried out for direct marketing purposes—profiling aimed at showing users personalized content and suggestions—as it was based on unsuitable legal grounds.
- Pay an administrative fine of EUR 2 million;
- Increase the transparency of processing by supplementing the privacy notice and the terms of service and by including a link to a specific privacy notice in the invitation to join the community sent to non-users;
- Conduct a DPIA;
- Inform the Garante of the implemented measures within 30 days of receipt of the order.
This Clubhouse decision is yet more evidence that the Garante is paying a great deal of attention to multinational companies operating in Italy and providing innovative services (such as social-network and communication services). In addition, while the administrative fine is in line with recent trends, it is worth noting that the company has been required to implement corrective measures and to provide details on them within 30 days. As usual, the hardest part of being subject to an investigation and dealing with a decision from the Garante is not payment of the penalty, but the effort the company must put into implementing the required remedies in a short period of time.
 Providing the list of processing activities requiring a DPIA pursuant to Article 35(4) GDPR.