Why Clubhouse is yet another example of companies that do not take your and my privacy seriously

Every so many time yet another new social media platform pops up that, according to insiders and early adopters, is going to change the internet.  

The success of the Snapchats and TikToks in this world has two things in common: on the one hand, their success often fades just as quickly as their hype has started, and on the other – and this is something that the privacy advocate in me finds continuously disturbing- the companies behind those apps never seem to pay any real attention to your and my privacy. In some cases, the main reason for this seems to be a rather disturbing lack of knowledge and understanding of (European or other) data protection laws, but just as often the impression remains that the entire business model of social media companies is built on unbridled data collection with the aim of building user profiles and selling those as ad profiles to advertisers around the globe.

 

School book marketing strategies

The latest rising star in the social media firmament is Clubhouse, an audio file sharing app that you can only access and use after an invitation by one of your friends. 

In other words, it seems that the authors behind Clubhouse have used a few marketing classics to make their new product a success: creating artificial scarcity by limiting access to your product and counting on the ego of the fortunate few to fuel the hype and to have the masses eagerly await the moment when they too will be included in the inner circle. This technique has proven its success on school playgrounds around the world many years ago, as children fiercely searched for that one rare Pikachu card and even today we all fall for the same strategies…

 

A word about privacy and GDPR …

But Clubhouse appears to carry the same flaws as so many other success stories in the appstore of your choice. The marketing strategy is well thought through, but no one seems to have really thought about respect for your and my privacy  along the way.

It is not surprising that Clubhouse is now subject of investigations by various European privacy authorities. Both the French CNIL and the state DPA in Hamburg, the HmbBfDI, are currently investigating the way in which Alpha Exploration Co., the American company behind Clubhouse, handles personal data of its current and future users.  

In France, the investigation is the result of a petition against Clubhouse, which has now collected more than 10,000 signatures and anyone who remembers the millions of fines in France for Google and Amazon last December knows that the CNIL is not afraid to strike hard against American tech companies.

 

Your contact details processed without you knowing … 

One of the biggest issues with Clubhouse is that the whole story is based on a member-get-member system, where existing members upload their digital phone book and open it up to Clubhouse. Based on that phone book Clubhouse invites new users or has them invited by its users.  

In other words, even if you have not yet received an invitation today, Clubhouse has probably already processed your personal data without your permission via one of your friends or acquaintances and that in itself is very problematic.  

Just a few months ago, the Belgian GBA imposed a hefty fine on dating website Twoo in very similar circumstances, arguing that no valid legal basis under GDPR can be found for the processing of friend data. After all, your friends have not given permission to – in this case – Clubhouse to process their data, nor to you to process and share their data with Clubhouse for that purpose. Nor can Clubhouse and its users rely on a legitimate interest in this context and the processing of contact details of non-users therefore lacks a valid legal basis.  

Incidentally, the need to demonstrate sufficient legal grounds is not an administrative formality. The obligation to have a valid legal basis for any processing of personal data is one of the cornerstones of GDPR and of your and my privacy protection …

Clubhouse goes one step further when it comes to the processing of phone book data of its users. Contact data of current users are not only used to invite new members, but also to compile a database with user statistics or profiles about existing and future users. The first information from the CNIL seems to indicate that Clubhouse is selling or may potentially sell that data to third parties (advertisers). Although Clubhouse itself does write in its privacy policy that it “does not sell your personal information“, it does mention a large number of cases where it can potentially “share” your information with third parties, including for “advertising and marketing services” …

 

Conversations recorded without knowing it…

By the way, did you know that Clubhouse is also recording your conversations? That doesn’t have to be a problem, at least as long as Clubhouse only uses those recordings to evaluate any complaints and then permanently removes recordings from its servers. We do not know whether Clubhouse actually does that, but the previous paragraphs in this article give very little confidence.

 

No transparency…

The German government in particular is also stumbling over the fact that Clubhouse is not transparent at all towards users. The correct contact details of the company behind Clubhouse (“das Impressum”, as it is called under German law) are nowhere to be found clearly and the privacy policy is only available in English, where GDPR requires it to be written in a language that is understandable (for the average user). In comparison, Whatsapp already got a hefty fine in Germany in 2016 because its terms of use were not available in German. Moreover, the privacy policy is missing a lot of mandatory information, for example the retention periods of your personal data and the names of the parties with whom that data is shared…

Another point on which Clubhouse fails to offer transparency is the data collection by means of cookies and other trackers. Clubhouse itself indicates that it collects data in this way and that it shares this data with advertisers via advertising networks. However, as far as we could determine, Clubhouse does not provide a clear overview of which cookies and trackers are used, which data is collected and with whom exactly that data is shared. Moreover, again as far as we could determine, no free and informed opt-in is obtained for the use of those cookies and trackers …

 

Data export outside the EU

Exporting personal data outside the EU (for example by storing it on servers in the US) is only allowed under strict conditions and lacks contractual and technical security guarantees. Clubhouse, however, limits its privacy to the short statement that “By using our Service, you understand and acknowledge that your Personal Data will be transferred from your location to our facilities and servers in the United States, and where applicable, to the servers of the technology partners we use to provide our Service”.

 

Should you do best to stay away from Clubhouse then?

Time will tell whether Clubhouse is just another hype or a stayer in the social media landscape. The above comments do not necessarily mean that you should not work with Clubhouse. Follow the hype if you feel called to do so, there is nothing wrong with that.

But as a consumer and citizen you better be aware of what big tech companies do with your data, so that you can make conscious choices.  

In other words, be careful, inform and read carefully the terms of use and privacy policy for your Clubhouse or any other social media app you use.

 

Want to know more about GDPR, data protection or social media?

Do not hesitate to contact us via bart@siriuslegal.be or book a no-obligation video call with Bart via this link: https://koalendar.com/events/Meet-with-Bart-Van-den-Brande