"Clubhouse": can companies use the app while adhering to the GDPR?

Stefan Hessel

The "Clubhouse" app is a social network which functions primarily via live podcasts. Users of the app can get together in "clubhouses" for larger online chats or engage in individual exchanges. Although the app is only available for iOS at the moment and although users need a personal invitation to use the app, in addition to downloading the app from the Apple app store , the number of users is growing rapidly all over the world. For now, the majority of "Clubhouse" users appear to be private users, but the app is also of interest to companies, politicians, private organizations and event organizers because it has the potential to be used e.g. for marketing purposes or for customer communication.

Criticism of data privacy practices

But as the app's popularity has grown, we are also beginning to hear criticism claiming that "Clubhouse" poses a threat to data privacy. Among the app's critics is Monika Grethel, Commissioner for Data Protection of the Federal State of Saarland, who not only made a critical statement about the app to WirtschaftsWoche magazine (only in German) but also named "three questionable aspects in terms of data protection law" to the Tagesschau news organization (only in German) via an official spokesman. In these statements, Saarland's data protection authority criticizes the fact that the app can access users' contact information, its failure to establish clear rules for the handling of personal data and its recording of users' conversations.

The following assessment in terms of data protection law is intended to consider the extent to which this criticism is justified, as well as examining other aspects of the app which may be problematic.

1. Ability of "Clubhouse" to access users' contact information

The app does not necessarily need to access users' contact information, so that the statements below do not stand in the way of using the app, in theory. However, those who want to send an invitation to another user have to allow the app to access the address book of the smart phones they are using. When they do so, their contact information is transmitted to "Clubhouse," which then processes this information for many different purposes (cf. Clubhouse Privacy Policy, No. 2). According to media reports (only in German), one use of the uses of this information is apparently to create "shadow profiles," i.e. to store information about data subjects who have not even registered with "Clubhouse." The latter use in particular must be regarded critically, in view of the fact it would hardly be possible to establish a legitimate interest (Article 6(1)(f)) of the GDPR) in the processing of non-user data (for details see: Hessel/Leffer, WhatsApp im Unternehmen?, CR 2020, 139-144) (only in German). The app also can access the contact information of users who link their Twitter and/or Instagram accounts to the app. Clubhouse's privacy policy says the following on this subject: "When you create your account, and/or authenticate with a third-party service like Twitter, we may collect, store, and periodically update information associated with that third-party account, such as your lists of friends or followers." (cf. Clubhouse Privacy Policy, No. 1 - Personal Data Collected from Third Parties/Publicly Available Sources). In this case as well, the app makes extensive use of the users' contact and profile information which cannot be traced individually.

2. Unclear rules on the handling of personal data

Based on the examples cited in which Clubhouse's privacy policy is unclear, the criticism by Saarland's data protection authority certainly appears to be justified, although this can change if "Clubhouse" revises its privacy policy in the future. But it should also be noted that the criticism of Clubhouse's privacy policy as unclear is not correct in every case. For example, some critics have claimed that the app fails to give users the option of deleting their account (only in German), but the app's privacy policy does make a clear statement in this regard (cf. Clubhouse Privacy Policy, No. 5).

3. Recording of conversations

The accusation that "Clubhouse" records all user conversations is a serious charge. But an examination of the app's privacy policy reveals that recordings are not stored after the meeting is over unless there is a violation of the terms of use (cf. Clubhouse Privacy Policy, No. 1 - Personal Data You Provide). According to the privacy policy, the data collected by the app are stored solely for the purpose of investigating such incidents and the app never records data for muted speakers or audience members. In light of these circumstances, the temporary storage of audio recordings appears to be far less critical from the viewpoint of data protection law, particularly since use of such recordings is strictly limited to the documentation and investigation of breaches of contract in the relationship between "Clubhouse" and users. 

Data transfer to the US

The "Clubhouse" app is operated by the US company "Alpha Exploration Co., Inc.," based in San Francisco. Clubhouse's privacy policy states as follows with regard to international data transfers: "By using our Service, you understand and acknowledge that your Personal Data will be transferred from your location to our facilities and servers in the United States, and where applicable, to the servers of the technology partners we use to provide our Service." (cf. Clubhouse Privacy Policy, No. 10 – International Users). This passage does not constitute a valid declaration of consent, which would allow a data transfer to third countries in accordance with Article 49(1)(a) of the GDPR even in the absence an adequacy decision or other safeguards. For one thing, the consent of the data subject must be "explicit," which is not the case here. The argument that the data transfer to the US is necessary for performance of the user agreement between "Clubhouse" and its users must be viewed rather critically in light of the ongoing controversy as to whether regular data transfers to third countries can even be justified based on Article 49 of the GDPR. Moreover, "Clubhouse" has not even named a representative in the EU yet, although the company is required to do so in accordance with Article 27 of the GDPR as a controller which is not established in the EU.

Impact on use

To the extent that an assessment of the "Clubhouse" app can be made at this time, the criticism that the app fails to comply with all of the requirements of the GDPR is certainly correct. But this does not mean that using the app would be impermissible, since the requirements in the GDPR generally apply only to those who determine the means and purposes of data processing, and since it makes exceptions e.g. in cases where data are processed for personal purposes. In order to determine who would be responsible for possible data breaches at "Clubhouse," it is therefore first necessary to distinguish between personal and commercial use of the app.

In accordance with Article 2(2)(c) of the GDPR, the GDPR does not apply to personal use in cases where personal data are processed exclusively for personal or household activities. Accordingly, as long as "Clubhouse" is used solely for private communications, users are generally not required to satisfy the strict requirements of the GDPR, although "Clubhouse" itself remains subject to these requirements (Recital 18 to the GDPR). For this reason, the Bavarian Data Protection Authority for the Private Sector even considers the use of WhatsApp by private associations to be permissible "in most cases." (only in German) But even the household exemption has its limits. For example, the European Court of Justice (ECJ) has ruled in the past that processing cannot be justified by the connection to personal or family life, particularly in cases where personal data are published online. As a result, e.g. the transfer of contact information from users' address books to "Clubhouse" is not entirely unproblematic from a legal standpoint. But in practice, the risk that private users will get in trouble with the data protection authorities is probably low.

However, this "household exemption" does not apply if "Clubhouse" is being used for business purposes. As a result, companies which process data via the app are required to adhere to the requirements of the GDPR, as well as facing a particular challenge: for the moment, at least, the app does not allow commercial use (cf. Conditions of Use, User Conduct, No. 1). While it is rather unlikely that "Clubhouse" would take legal action against companies which use the app, it is evident from the current terms of use that the app is not designed for use by companies. Accordingly, there is no clear division of responsibilities in terms of data protection law, which is problematic in view of a possible joint controller arrangement in terms of Article 26(1) of the GDPR, which would come into consideration for at least some of the data processing activities in connection with use of "Clubhouse." Companies should also keep in mind that not only their customers' data will be processed when they use "Clubhouse," but also the data of their employees, such as those in the sales or marketing departments. However, they can address this problem by obtaining the consent of the affected employees.

Conclusion and recommendation for companies

There is room for improvement in the "Clubhouse" app from the viewpoint of data protection law. Accordingly, companies which are thinking about using the app for business purpose should undertake an intensive legal review in order to avoid getting in trouble with the data protection authorities and/or damage claims from customers and employees. Some of the problems, such as allowing access to contact information, can be avoided through effective technical design. But clearly there are still risks associated with use of the app, as is the case for many other services as well. Nevertheless, those who would like to have more legal certainty can anticipate that, as the app continues to be developed, it will feature a more privacy-friendly design.

If your company is considering the possibility of using "Clubhouse" or other social networks for business purposes, we would be glad to assist you. We are also available to answer questions from the media about data privacy in the "Clubhouse" app.

[January 2021]