"Clubhouse": can companies use the app while adhering to the GDPR?
The "Clubhouse" app is a social network which functions primarily via live podcasts. Users of the app can get together in "clubhouses" for larger online chats or engage in individual exchanges. Although the app is only available for iOS at the moment and although users need a personal invitation to use the app, in addition to downloading the app from the Apple app store , the number of users is growing rapidly all over the world. For now, the majority of "Clubhouse" users appear to be private users, but the app is also of interest to companies, politicians, private organizations and event organizers because it has the potential to be used e.g. for marketing purposes or for customer communication.
Criticism of data privacy practices
But as the app's popularity has grown, we are also beginning to hear criticism claiming that "Clubhouse" poses a threat to data privacy. Among the app's critics is Monika Grethel, Commissioner for Data Protection of the Federal State of Saarland, who not only made a critical statement about the app to WirtschaftsWoche magazine (only in German) but also named "three questionable aspects in terms of data protection law" to the Tagesschau news organization (only in German) via an official spokesman. In these statements, Saarland's data protection authority criticizes the fact that the app can access users' contact information, its failure to establish clear rules for the handling of personal data and its recording of users' conversations.
The following assessment in terms of data protection law is intended to consider the extent to which this criticism is justified, as well as examining other aspects of the app which may be problematic.
1. Ability of "Clubhouse" to access users' contact information
2. Unclear rules on the handling of personal data
3. Recording of conversations
Data transfer to the US
Impact on use
To the extent that an assessment of the "Clubhouse" app can be made at this time, the criticism that the app fails to comply with all of the requirements of the GDPR is certainly correct. But this does not mean that using the app would be impermissible, since the requirements in the GDPR generally apply only to those who determine the means and purposes of data processing, and since it makes exceptions e.g. in cases where data are processed for personal purposes. In order to determine who would be responsible for possible data breaches at "Clubhouse," it is therefore first necessary to distinguish between personal and commercial use of the app.
In accordance with Article 2(2)(c) of the GDPR, the GDPR does not apply to personal use in cases where personal data are processed exclusively for personal or household activities. Accordingly, as long as "Clubhouse" is used solely for private communications, users are generally not required to satisfy the strict requirements of the GDPR, although "Clubhouse" itself remains subject to these requirements (Recital 18 to the GDPR). For this reason, the Bavarian Data Protection Authority for the Private Sector even considers the use of WhatsApp by private associations to be permissible "in most cases." (only in German) But even the household exemption has its limits. For example, the European Court of Justice (ECJ) has ruled in the past that processing cannot be justified by the connection to personal or family life, particularly in cases where personal data are published online. As a result, e.g. the transfer of contact information from users' address books to "Clubhouse" is not entirely unproblematic from a legal standpoint. But in practice, the risk that private users will get in trouble with the data protection authorities is probably low.
Conclusion and recommendation for companies
There is room for improvement in the "Clubhouse" app from the viewpoint of data protection law. Accordingly, companies which are thinking about using the app for business purpose should undertake an intensive legal review in order to avoid getting in trouble with the data protection authorities and/or damage claims from customers and employees. Some of the problems, such as allowing access to contact information, can be avoided through effective technical design. But clearly there are still risks associated with use of the app, as is the case for many other services as well. Nevertheless, those who would like to have more legal certainty can anticipate that, as the app continues to be developed, it will feature a more privacy-friendly design.
If your company is considering the possibility of using "Clubhouse" or other social networks for business purposes, we would be glad to assist you. We are also available to answer questions from the media about data privacy in the "Clubhouse" app.