(by Federica De Stefani, lawyer and head of Aidr Lombardy Region) Clubhouse is an app that offers an audio chat service, or the possibility of creating rooms in which to converse, on specific issues, in real time.
It is seen as a new social network that revolutionizes the way we communicate and network and provides a very simple operation.
Within each room, members interact with each other only via audio, no photos, no videos, no messages. A sort of radio of the new millennium.
Clubhouse also attracted attention for another aspect, this time of a legal nature: the platform has, in fact, numerous critical issues concerning the processing of users' personal data.
If on the one hand it is still an experimental app (despite the estimates of the beginning of February that speak of 6 million users), the data processing seems to take place in ways that do not take into account the principles of European data protection legislation. personal, so much so that the Italian Guarantor has sent a formal request for clarification to the company that owns the platform to verify that the principles of the GDPR are respected.
The fact that it is an app with a limited audience as it is still in Beta Test (the app is only available for IOS and can only be accessed by invitation) does not affect the methods of data processing and does not constitute a justification on certain choices which, as mentioned, lend themselves to numerous criticisms.
First of all, the information on the processing of personal data as envisaged and conceived by art. 13 of the GDPR, completely lacking the reference to those elements that are indicated by the same standard as indispensable and mandatory information to be provided to the interested party.
The app. has its own privacy policy, this must be said, but in essence the information that is given is not in line with the principles of the GDPR.
For example, a valid legal basis for the processing is missing, as is the reference to European legislation, making, on the contrary, only referral to Californian laws. Furthermore, the designation of a representative in Europe is omitted, given that the company that owns the platform is based in America, as well as the designation of a Data Protection Officer.
The critical issues also concern the same mechanism through which the social network works which imposes a kind of "take or leave" to the user and with which he is offered a sort of "package of conditions" that must be accepted as if it were a indivisible unicum, far from that granularity of consent that is required by the European Regulation.
Another punctum dolens is represented by access to the telephone directory, which is anything but voluntarily granted by the user, since without access to this data it is not possible, for the same, to obtain invitations to be sent to one's contacts. Also in this case the consent does not cover the characteristics of the free and unconditional manifestation of will required by the GDPR.
Even the system of invitations and the chain of contacts that is created by the exchange of invitations sent and received, a real network, presents some criticalities as regards the privacy side.
The user, in fact, remains an indelible part of that chain that is created as his name, as well as that of his contacts, would be impossible to hide, thus entailing the identification of all the subjects with whom he is in contact and the possible profiling of the same based on the exchange of invitations.
A further criticality is represented by the recording of the conversations that take place in the various rooms.
The platform declares, in fact, not to record the conversations, only to provide for the possibility of recording and storing them, for a time defined as "reasonably necessary" in the event of a dispute of the violation of the conditions of use by a user. Also in this case, the provision raises several doubts for the terminology used and, specifically, for the platform's power to arbitrarily decide the data retention time.
Furthermore, on the conservation methods, Clubhouse's privacy policy is rather disconcerting when we read “You use the Service at your own risk. We implement commercially reasonable technical, administrative, and organizational measures to protect Personal Data ". You use the platform at your own risk, as Clubhouse undertakes to take “commercially reasonable” measures to protect user data. Even making a rather high interpretative effort, it certainly cannot be said that the commitment of the platform is comparable to the privacy by default and by design required by the GDPR.
In conclusion, given the many problems and the seriousness of the same, the hope is that the action of the Guarantor for the protection of personal data will push the platform on the one hand to review its policy by adapting it to the principles of the European Regulation, from other users to pay more attention to the treatments to which their data are subjected even by the "latest generation" apps.