Clubhouse and data protection – essential info for users and companies

What you need to know, in a nutshell 

• The Clubhouse app’s popularity is rising, however, this causes some concern when it comes to data protection and information security
• The app infringes against transparency and information obligations pursuant to the UK GDPR (Art. 12, 13, and 14) and against the principle of data protection by default (Art. 25 UK GDPR) 
• The provider also uses the phone book data of its users to unlawfully create shadow profiles  
• Theoretically, businesses could use the app in a manner compliant with data protection, if they consider a few measures 
• Reprimands by consumer advocates remain ineffective for the time being 

In this article

• Misuse and manipulation by social networks
• Clubhouse app - Automatic access to contacts
• The problem with Clubhouse shadow profiles
• Recorded discussions in Clubhouse
• Clubhouse Privacy Policy
• Data protection-compliant use of Clubhouse – 5 recommendations for businesses 
• Reprimands against Clubhouse
• Protect your data from apps like Clubhouse

Misuse and manipulation by social networks

US documentaries such as “The Social Dilemma” address the issue of data misuse and manipulation by social networks. Why do US companies, such as the provider of the Clubhouse app, still fail to implement European data protection standards?  

Clubhouse is by no means an exceptional case. Many messenger and communication apps that reach our shores from the US initially fail to meet British and European transparency and data protection standards. And why would they? The rules in the US are different (for now). In the States, the collection of personal data is allowed to a much greater scope. While the United States is demonstrating signs of tightening data protection measures, platforms such as Clubhouse will continue to pose a challenge to British and European standards.

When the Zoom app gained popularity in the UK and Europe in early 2020, similar discussions regarding data protection were held. Following, Zoom addressed data concerns by adjusting their policies. Ian Hulme, the ICO’s Director of Assurance explained: “Video conferencing software and apps are valuable ways of doing business, holding staff meetings and keeping in touch with colleagues. But with everyone working under such extraordinary circumstances, it’s easy to prioritise convenience over security. The ICO can help make it easy to have it always – combining the efficiency of digital connection with the necessity for privacy protection.” 

Clubhouse app - Automatic access to contacts

A key concern with the Clubhouse app is automatic access to the phone book contacts of users. Why is this so problematic from a data protection point of view? 

When installing Clubhouse, users are prompted to grant the app automatic access to all contacts in their own phone book. Contacts are not informed about this by the operator of the app, and users generally fail to do so themselves as well. Automatic access to a user’s contacts infringes against the obligations to transparency and the provision of information following Art. 12, 13, and 14 of the UK GDPR.  

By automatically synchronising a user’s phone book, the Clubhouse app additionally infringes against the principle of data protection by default specified in Art. 25 UK GDPR. Users do have the option of deactivating automatic access in the settings. However, by doing so, they can no longer send invites and the functionality of the app is restricted.  

The problem with Clubhouse shadow profiles

Privacy advocates object to the creation of so-called shadow profiles by Clubhouse.  What are these, and what’s the problem? 

A leak has revealed that Clubhouse does not store data in a secure manner. The app provider is utilizing data in an unlawful manner to feed databases and create shadow profiles. This means: Personal data are used to create profiles of people, who might not have entered any sort of contractual relationship with Clubhouse. People who do not use the app, but do fall within the target audience of Clubhouse, are identified in this way.  

The app provider therefore analyses personal data, performs sophisticated processing, and uses the information collected without the knowledge of the people behind the data. There is absolutely no legal justification for this procedure, and UK GDPR conformity is highly dubious as well. Clubhouse can neither justify this procedure by referring to existing contractual relationships nor by any overriding legitimate interest. The legitimate interest of non-customers to non-usage of their personal data by Clubhouse clearly overrides the interests of the provider.  

Recorded discussions in Clubhouse

Discussions in the Clubhouse Rooms are recorded. Is this even legal? 

From a data protection point of view, recording individuals is only allowed in the event of consent – of every individual participant in the discussion or in a business context for a limited number of reasons. If the UK GDPR and the Telecommunications Regulations are not observed this legally constitutes unlawful recording of sound and image. 

Good to know: In a business context – the UK GDPR does not cover the private realm – additional legal complications might be brought about if the app runs on a mobile phone which is the property of an employer. This is important to keep in mind as in the because employees should be informed if their business owned mobile phones are being monitored by the employer. Otherwise, this practice can fall under covert monitoring of employees.  

Do users have to worry about statements they make in Clubhouse Rooms being used against them at some point? 

There is reason for concern. We’ve already seen the first prominent case in Germany. The Prime Minister of Thuringia admitted during a Clubhouse meeting that he sometimes fails to pay attention during conferences with the Federal Chancellery. The press picked up on this shortly afterwards. The source and scope of the leak are completely unknown. The Clubhouse privacy policy does not specify what happens with Clubhouse recordings. This is questionable, because users can only effectively assert their rights if they know what happens to their data. A prominent example happened during a Clubhouse meeting in Germany involving the Prime Minister of Thuringia.

In the UK, however, the first incident has been reported. Although less prominent than the German one, a user found a way to stream feeds from multiple chatrooms, yet another data security concern. Learn more about this incident from the BBC here.

Clubhouse Privacy Policy

Can companies use the app in a data protection-compliant manner?  

Using the Clubhouse app in its current version for business purposes is dubious, and brings with it numerous legal challenges. Theoretically, data protection-compliant use is feasible – as a comparison with the WhatsApp messenger service demonstrates, for example. Some data protection authorities consider the use of messenger services by companies to be data protection compliant, if certain conditions are met. 

Data protection-compliant use of Clubhouse – 5 recommendations for businesses 

Reprimands against Clubhouse

The Federation of German Consumer Organisations has now issued a reprimand against Clubhouse. What does that mean for users and businesses?  

Clubhouse is an American company, without subsidiaries in Germany or Europe, therefore, the reprimand will be inconsequential. German law and European data protection regulations cannot be regularly enforced by German consumer advocates in the US. This did send a clear message to the app provider, however, and will hopefully motivate them to rethink their regulations and safeguards for data security in the future.

The reprimand against Clubhouse might lead to a court decision in the future, affecting Apple Store distribution and more. If a decision is reached, consumer protection organisations might reprimand the use of Clubhouse by companies as well.

Protect your data from apps like Clubhouse

With the Clubhouse app’s rising popularity across the globe, it is causing some concern when it comes to data protection and information security. In fact, the app infringes against transparency and information obligations pursuant to the UK GDPR (Art. 12, 13, and 14) and against the principle of data protection by default (Art. 25 UK GDPR). In addition, they also use phone book data of its users to unlawfully create shadow profiles.

Theoretically, if they consider a few measures listed above, businesses could use the app in a manner compliant with data protection, however, reprimands by consumer advocates remain ineffective for the time being.

Stay ahead of your competition with our monthly newsletter! Receive the latest compliance-related business advice, tips, news and events - directly delivered to your inbox every month!

Subscribe now