Clubhouse: from global success to privacy sanctions

Clubhouse is a social network based exclusively on voice interactions that has earned headlines and fame at the height of the global pandemic, thanks to the introduction of a more human side within a social platform: first released in March 2020, in 2021 it amassed more than 16 million monthly active users globally, about 90,000 in Italy alone, and then saw a drastic drop in downloads and subscribers.

The DTA preliminarily stated the applicability to the American company of EU Regulation 2016/679 (“GDPR”), by virtue of the so-called targeting criterion (art. 3(2)a) of the GDPR), regardless Alpha Exploration not intending to offer its services towards Italian data subjects, at least in the launch phase. 

Several unlawfulness profiles were discovered by the Authority, including but not limited to lack of transparency on the use of the data of users and their 'friends'; the possibility for room administrators to store and share audio files without the consent of the recorded subjects; improper identification of the lawful grounds for processing (where not entirely missing), with particular reference to the processing carried out for marketing and profiling purposes; violation of the storage limitation principle in connection with the indefinite storage of recordings made by the social network to counter abuse.

In addition to a hefty fine, the Supervisory Authority imposed further corrective measures on Alpha Exploration to protect users, including the compulsory conduction of a data protection impact assessment under Article 35 of the GDPR, the integration of the privacy policy and the appointment of a representative in the Union. Any further processing of data for marketing and profiling purposes carried out without specific user consent was also prohibited.

The analysis provided by the DPA has also the merit of laying bare some worrying dynamics in the functioning of the American platform: we refer in particular to the preventive and indiscriminate recording of all the conversations held on Clubhouse 'for the purpose of investigating possible violations of the community guidelines', a processing that - according to the company's defence - would be based on the legitimate interest of the data controller. 

The Authority's critic in this regard highlights the absolute disproportion between a monitoring described as "widespread and pervasive" and the purpose of preventing and opposing non-compliant behaviours, especially if we consider that some of the rights to be assessed in the balancing test are expressly recognised and protected at a constitutional level (e.g. the rights of freedom of association, expression and thought). Furthermore, the Garante expressly states that, even if we were to admit such processing as lawful, the only appropriate lawful ground for processing would be the free and informed consent of the data subject.

Another issue that deserves attention is the Authority's resounding rejection of the possibility - affirmed by Clubhouse - to rely on a contractual lawful basis for carrying out profiling activities for the purposes of service customisation. In line with previous statements from WP29 and EDPB, the Italian DPA reiterates that the performance of a contract would not generally be an appropriate lawful basis for processing “for the purposes of improving a service or developing new functions within an existing service”. 

This position appears to resemble the content of a recent decision taken by the EDPB according to Article 65 of the GDPR towards the Irish Supervisory Authority in the proceedings against the Meta social media platforms.

If we consider that the processing of personal data for the purposes of the so-called content 'moderation' and customisation constitute the beating heart of social platforms - from Facebook to Twitter, from Tik Tok to Instagram - as well as the foundations of their business model, it may be not too far-fetched to believe that the decision of the Italian Data Protection Authority represents the prelude to a series of interventions on social media by European data protection authorities based on similar, if not entirely analogous assumptions.

The decision against Clubhouse makes clear how the concept of privacy by design is perhaps the most demanding and burdensome challenge that the European legislator has imposed on companies, and how it gains an even greater relevance in the digital context. 

The effective integration of the principles provided for by the data protection legislation from the earliest stages of the development and design of technological solutions has become an essential factor to be competitive on the EU market as well as to avoid suffering significant damage both economically and reputationally afterwards.