“Club­house”: can com­pa­nies use the app while adhe­ring to the GDPR?

The “Club­house” app is a social net­work which func­tions pri­ma­ri­ly via live pod­casts. Users of the app can get tog­e­ther in “club­hou­ses” for lar­ger online chats or enga­ge in indi­vi­du­al exch­an­ges. Alt­hough the app is only available for iOS at the moment and alt­hough users need a per­so­nal invi­ta­ti­on to use the app, in addi­ti­on to down­loa­ding the app from the Apple app store , the num­ber of users is gro­wing rapidly all over the world. For now, the majo­ri­ty of “Club­house” users appear to be pri­va­te users, but the app is also of inte­rest to com­pa­nies, poli­ti­ci­ans, pri­va­te orga­niza­ti­ons and event orga­ni­zers becau­se it has the poten­ti­al to be used e.g. for mar­ke­ting pur­po­ses or for cus­to­mer communication.

Cri­ti­cism of data pri­va­cy practices

But as the app’s popu­la­ri­ty has grown, we are also begin­ning to hear cri­ti­cism clai­ming that “Club­house” poses a thre­at to data pri­va­cy. Among the app’s cri­tics is Moni­ka Grethel, Com­mis­sio­ner for Data Pro­tec­tion of the Fede­ral Sta­te of Saar­land, who not only made a cri­ti­cal state­ment about the app to Wirt­schafts­Wo­che maga­zi­ne (only in Ger­man) but also named “three ques­tionable aspects in terms of data pro­tec­tion law” to the Tages­schau news orga­niza­ti­on (only in Ger­man) via an offi­ci­al spo­kes­man. In the­se state­ments, Saar­lan­d’s data pro­tec­tion aut­ho­ri­ty cri­ti­ci­zes the fact that the app can access users’ cont­act infor­ma­ti­on, its fail­ure to estab­lish clear rules for the hand­ling of per­so­nal data and its recor­ding of users’ con­ver­sa­ti­ons.

The fol­lo­wing assess­ment in terms of data pro­tec­tion law is inten­ded to con­sider the ext­ent to which this cri­ti­cism is jus­ti­fied, as well as exami­ning other aspects of the app which may be problematic.

1. Abili­ty of “Club­house” to access users’ cont­act information

The app does not neces­s­a­ri­ly need to access users’ cont­act infor­ma­ti­on, so that the state­ments below do not stand in the way of using the app, in theo­ry. Howe­ver, tho­se who want to send an invi­ta­ti­on to ano­ther user have to allow the app to access the address book of the smart pho­nes they are using. When they do so, their cont­act infor­ma­ti­on is trans­mit­ted to “Club­house,” which then pro­ces­ses this infor­ma­ti­on for many dif­fe­rent pur­po­ses (cf. Club­house Pri­va­cy Poli­cy, No. 2). Accor­ding to media reports (only in Ger­man), one use of the uses of this infor­ma­ti­on is appar­ent­ly to crea­te “shadow pro­files,” i.e. to store infor­ma­ti­on about data sub­jects who have not even regis­tered with “Club­house.” The lat­ter use in par­ti­cu­lar must be regard­ed cri­ti­cal­ly, in view of the fact it would hard­ly be pos­si­ble to estab­lish a legi­ti­ma­te inte­rest (Artic­le 6(1)(f)) of the GDPR) in the pro­ces­sing of non-user data (for details see: Hessel/Leffer, Whats­App im Unter­neh­men?, CR 2020, 139–144) (only in Ger­man). The app also can access the cont­act infor­ma­ti­on of users who link their Twit­ter and/or Insta­gram accounts to the app. Club­house’s pri­va­cy poli­cy says the fol­lo­wing on this sub­ject: “When you crea­te your account, and/or authen­ti­ca­te with a third-party ser­vice like Twit­ter, we may coll­ect, store, and peri­odi­cal­ly update infor­ma­ti­on asso­cia­ted with that third-party account, such as your lists of fri­ends or fol­lo­wers.” (cf. Club­house Pri­va­cy Poli­cy, No. 1 – Per­so­nal Data Coll­ec­ted from Third Parties/Publicly Available Sources). In this case as well, the app makes exten­si­ve use of the users’ cont­act and pro­fi­le infor­ma­ti­on which can­not be tra­ced individually.

2. Unclear rules on the hand­ling of per­so­nal data

Based on the examp­les cited in which Club­house’s pri­va­cy poli­cy is unclear, the cri­ti­cism by Saar­lan­d’s data pro­tec­tion aut­ho­ri­ty cer­tain­ly appears to be jus­ti­fied, alt­hough this can chan­ge if “Club­house” revi­ses its pri­va­cy poli­cy in the future. But it should also be noted that the cri­ti­cism of Club­house’s pri­va­cy poli­cy as unclear is not cor­rect in every case. For exam­p­le, some cri­tics have clai­med that the app fails to give users the opti­on of dele­ting their account (only in Ger­man), but the app’s pri­va­cy poli­cy does make a clear state­ment in this regard (cf. Club­house Pri­va­cy Poli­cy, No. 5).

3. Recor­ding of conversations

The accu­sa­ti­on that “Club­house” records all user con­ver­sa­ti­ons is a serious char­ge. But an exami­na­ti­on of the app’s pri­va­cy poli­cy reve­als that recor­dings are not stored after the mee­ting is over unless the­re is a vio­la­ti­on of the terms of use (cf. Club­house Pri­va­cy Poli­cy, No. 1 – Per­so­nal Data You Pro­vi­de). Accor­ding to the pri­va­cy poli­cy, the data coll­ec­ted by the app are stored sole­ly for the pur­po­se of inves­ti­ga­ting such inci­dents and the app never records data for muted spea­k­ers or audi­ence mem­bers. In light of the­se cir­cum­s­tances, the tem­po­ra­ry sto­rage of audio recor­dings appears to be far less cri­ti­cal from the view­point of data pro­tec­tion law, par­ti­cu­lar­ly sin­ce use of such recor­dings is strict­ly limi­t­ed to the docu­men­ta­ti­on and inves­ti­ga­ti­on of brea­ches of con­tract in the rela­ti­onship bet­ween “Club­house” and users. 

Data trans­fer to the US

The “Club­house” app is ope­ra­ted by the US com­pa­ny “Alpha Explo­ra­ti­on Co., Inc.,” based in San Fran­cis­co. Club­house’s pri­va­cy poli­cy sta­tes as fol­lows with regard to inter­na­tio­nal data trans­fers: “By using our Ser­vice, you under­stand and ack­now­ledge that your Per­so­nal Data will be trans­fer­red from your loca­ti­on to our faci­li­ties and ser­vers in the United Sta­tes, and whe­re appli­ca­ble, to the ser­vers of the tech­no­lo­gy part­ners we use to pro­vi­de our Ser­vice.” (cf. Club­house Pri­va­cy Poli­cy, No. 10 – Inter­na­tio­nal Users). This pas­sa­ge does not con­sti­tu­te a valid decla­ra­ti­on of con­sent, which would allow a data trans­fer to third count­ries in accordance with Artic­le 49(1)(a) of the GDPR even in the absence an ade­quacy decis­i­on or other safe­guards. For one thing, the con­sent of the data sub­ject must be “expli­cit,” which is not the case here. The argu­ment that the data trans­fer to the US is neces­sa­ry for per­for­mance of the user agree­ment bet­ween “Club­house” and its users must be view­ed rather cri­ti­cal­ly in light of the ongo­ing con­tro­ver­sy as to whe­ther regu­lar data trans­fers to third count­ries can even be jus­ti­fied based on Artic­le 49 of the GDPR. Moreo­ver, “Club­house” has not even named a repre­sen­ta­ti­ve in the EU yet, alt­hough the com­pa­ny is requi­red to do so in accordance with Artic­le 27 of the GDPR as a con­trol­ler which is not estab­lished in the EU.

Impact on use

To the ext­ent that an assess­ment of the “Club­house” app can be made at this time, the cri­ti­cism that the app fails to com­ply with all of the requi­re­ments of the GDPR is cer­tain­ly cor­rect. But this does not mean that using the app would be imper­mis­si­ble, sin­ce the requi­re­ments in the GDPR gene­ral­ly app­ly only to tho­se who deter­mi­ne the means and pur­po­ses of data pro­ces­sing, and sin­ce it makes excep­ti­ons e.g. in cases whe­re data are pro­ces­sed for per­so­nal pur­po­ses. In order to deter­mi­ne who would be respon­si­ble for pos­si­ble data brea­ches at “Club­house,” it is the­r­e­fo­re first neces­sa­ry to distin­gu­ish bet­ween per­so­nal and com­mer­cial use of the app.

In accordance with Artic­le 2(2)© of the GDPR, the GDPR does not app­ly to per­so­nal use in cases whe­re per­so­nal data are pro­ces­sed exclu­si­ve­ly for per­so­nal or house­hold acti­vi­ties. Accor­din­gly, as long as “Club­house” is used sole­ly for pri­va­te com­mu­ni­ca­ti­ons, users are gene­ral­ly not requi­red to satis­fy the strict requi­re­ments of the GDPR, alt­hough “Club­house” its­elf remains sub­ject to the­se requi­re­ments (Reci­tal 18 to the GDPR). For this reason, the Bava­ri­an Data Pro­tec­tion Aut­ho­ri­ty for the Pri­va­te Sec­tor even con­siders the use of Whats­App by pri­va­te asso­cia­ti­ons to be per­mis­si­ble “in most cases.” (only in Ger­man) But even the house­hold exemp­ti­on has its limits. For exam­p­le, the Euro­pean Court of Jus­ti­ce (ECJ) has ruled in the past that pro­ces­sing can­not be jus­ti­fied by the con­nec­tion to per­so­nal or fami­ly life, par­ti­cu­lar­ly in cases whe­re per­so­nal data are published online. As a result, e.g. the trans­fer of cont­act infor­ma­ti­on from users’ address books to “Club­house” is not enti­re­ly unpro­ble­ma­tic from a legal stand­point. But in prac­ti­ce, the risk that pri­va­te users will get in trou­ble with the data pro­tec­tion aut­ho­ri­ties is pro­ba­b­ly low.

Howe­ver, this “house­hold exemp­ti­on” does not app­ly if “Club­house” is being used for busi­ness pur­po­ses. As a result, com­pa­nies which pro­cess data via the app are requi­red to adhe­re to the requi­re­ments of the GDPR, as well as facing a par­ti­cu­lar chall­enge: for the moment, at least, the app does not allow com­mer­cial use (cf. Con­di­ti­ons of Use, User Con­duct, No. 1). While it is rather unli­kely that “Club­house” would take legal action against com­pa­nies which use the app, it is evi­dent from the cur­rent terms of use that the app is not desi­gned for use by com­pa­nies. Accor­din­gly, the­re is no clear divi­si­on of respon­si­bi­li­ties in terms of data pro­tec­tion law, which is pro­ble­ma­tic in view of a pos­si­ble joint con­trol­ler arran­ge­ment in terms of Artic­le 26(1) of the GDPR, which would come into con­side­ra­ti­on for at least some of the data pro­ces­sing acti­vi­ties in con­nec­tion with use of “Club­house.” Com­pa­nies should also keep in mind that not only their cus­to­mers’ data will be pro­ces­sed when they use “Club­house,” but also the data of their employees, such as tho­se in the sales or mar­ke­ting depart­ments. Howe­ver, they can address this pro­blem by obtai­ning the con­sent of the affec­ted employees.

Con­clu­si­on and recom­men­da­ti­on for companies

The­re is room for impro­ve­ment in the “Club­house” app from the view­point of data pro­tec­tion law. Accor­din­gly, com­pa­nies which are thin­king about using the app for busi­ness pur­po­se should under­ta­ke an inten­si­ve legal review in order to avo­id get­ting in trou­ble with the data pro­tec­tion aut­ho­ri­ties and/or dama­ge claims from cus­to­mers and employees. Some of the pro­blems, such as allo­wing access to cont­act infor­ma­ti­on, can be avo­ided through effec­ti­ve tech­ni­cal design. But cle­ar­ly the­re are still risks asso­cia­ted with use of the app, as is the case for many other ser­vices as well. Nevert­hel­ess, tho­se who would like to have more legal cer­tain­ty can anti­ci­pa­te that, as the app con­ti­nues to be deve­lo­ped, it will fea­ture a more privacy-friendly design.

If your com­pa­ny is con­side­ring the pos­si­bi­li­ty of using “Club­house” or other social net­works for busi­ness pur­po­ses, we would be glad to assist you. We are also available to ans­wer ques­ti­ons from the media about data pri­va­cy in the “Club­house” app.

back

Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.