Clubhouse is being investigated by the French data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL). The regulator says it has received a complaint that Clubhouse has failed to comply with the General Data Protection Regulation (GDPR), the European Union's (EU's) legislation for protecting the data of its citizens. The CNIL says it contacted Alpha Explorations, the parent company of the audio chat app, with questions to assess compliance.
The GDPR was introduced in 2016 and was aimed, above all else, at ensuring the privacy and security of EU citizens. It brought data protection legislation in EU member states up-to-date and standardized the requirements for organizations handling people's personal information, as well as the penalties for non-compliance. Although the GDPR is enshrined into law for EU countries, it also sets out requirements for organizations in non-EU countries that collect and/or process personal information about EU citizens.
This is where Clubhouse, which has already faced questions about the privacy of its content and its security in China, may have misstepped — if indeed it has. While the nature of the complaint itself has not been outlined, the CNIL notes that there has also been a petition circulating that is intended to to alert it of possible breaches by Clubhouse. The petition says that "if a person signs up, the names and numbers of all of their contacts will be uploaded to a secret database… which can then be sold to third parties." The CNIL says it has verified that Clubhouse does not have any operations in any EU countries and that, as such, it is leading on the investigation with the cooperation of its contemporary bodies from other member states.
Clubhouse & GDPR: What Happens Next?
The investigation will determine whether or not Clubhouse has a case to answer. Among the key aspects of the GDPR are that only required data is collected for only the required purposes, consent is required for processing the data of individuals, individuals may ask organizations what data they have about them and how it is used, the transfer of data across borders should be done so safely, and that privacy should be default and designed into organizational systems and processes.
Non-compliance with the GDPR can result in fines of up to €20 million or 4 percent of annual global turnover, whichever is greater. However, there is also just the possibility of temporary or permanent bans on data processing, suspension of data transfers to certain countries, rectifications to, restrictions on or erasure of data, and simple warning or reprimands.
It is not beyond the realms of possibilities that a new app like Clubhouse based outside of the EU could inadvertently contravene GDPR regulations, particularly one that has grown so rapidly. Indeed, one risk might be that it has become so popular so quickly that the numbers of users involved could mean a severe contravention, although the fact that it is still in beta with user sign-ups restricted to invite-only is likely to mean that is not the case. It is more likely that any contravention would be relatively minor and that, accordingly, so too would any penalty.