Clubhouse social network application on a mobile phone screen showing potential violation of privacy laws

Did Clubhouse Violate EU Privacy Laws? French Regulators Open Inquiry

Clubhouse has seen explosive growth since the start of 2021, with 13 million downloads on the year as of mid-March. And as with nearly every app that becomes a mass market phenomenon out of nowhere, it’s already facing regulatory and security issues. French privacy watchdog CNIL has opened an inquiry into the audio chat app’s handling of user data, noting that it does not have a corporate entity in the European Union (EU) or an obvious chain of custody for the personal information of users in the region. This could put it in conflict with EU privacy laws, most notably the General Data Protection Regulation (GDPR).

Clubhouse scrutinized for potential violations of EU privacy laws

The sudden and meteoric success of Clubhouse is owed to its unique formula for blending podcasts and chat rooms. The platform deals in nothing but live audio, allowing hosts to invite select users in to join real-time conversations. Up to 5,000 users can participate in each of these live audio sessions. The app has taken off like a rocket in recent months; it debuted in September to just 2,000 downloads, but jumped to 994,000 in December and has added a few million more new users every month since.

France’s CNIL, the regulatory body that is responsible for ensuring compliance with both EU and national data privacy laws, has opened an inquiry into Clubhouse in response to a petition that collected over 10,000 signatures along with an undisclosed number of direct complaints to the agency. The key question will be whether Alpha Exploration, the parent company of Clubhouse, is subject to the GDPR or any other European data protection rules. Clubhouse is processing and storing data of EU citizens that is protected by GDPR privacy laws. The inquiry is attempting to determine exactly where that is happening and if proper mandatory safeguards are in place. Since Clubhouse does not have an EU headquarters, any of the region’s data protection authorities can investigate it under both GDPR and local privacy laws (and potentially issue fines and sanctions) if there are app users in its jurisdiction.

The surge in Clubhouse’s popularity is owed to a combination of pandemic conditions and rapid adoption by celebrities and tech luminaries. Both Mark Zuckerberg and Elon Musk have appeared in chats on the platform, each of which quickly maxed out the 5,000-user limit. The app keeps these large chats from descending into chaos by having the moderators place a limited amount of participants on “stage” at one time, with all other users only able to listen in. In terms of personal data collected, Clubhouse is fairly limited with the only real items of concern being a phone number (mandatory to accept an invitation to the app) and an email address. However, users can also opt to connect their Twitter and Instagram accounts to the app.

Privacy concerns over live chats

The main privacy concern is the content of live chats, particularly those that might be intended to be private meetings. The Chinese government has already banned the app after discussions about treatment of the Uighurs appeared, and the government of Saudia Arabia has hinted at plans to ban it as well. It is unclear exactly how secure these chats are, and Clubhouse has some practices that might run afoul of privacy laws. For example, the app requires constant access to user contact lists (for some time this has been the only way for new users to be invited to the app). Given its policy of aggressive expansion, Clubhouse has yet to implement the sort of contact and recommendation privacy controls that more mature social media platforms have.

The Stanford Internet Observatory has found that Clubhouse is using a software development kit (SDK) made by Chinese company Agora, providing at least a theoretical path for the Chinese government to request user information (under its national intelligence laws) and even tap into private live chats. In February, a flaw was found in the SDK that allowed unauthorized access to video calls on a variety of services such as eHarmony and MeetMe.

The initial surge of popularity in December also brought with it complaints about Clubhouse’s moderation policies. Some users take issue with the platform’s lack of a misinformation labeling policy and a general lack of guidance for moderators about what speech is not permissible, something that could potentially land it in trouble in certain EU countries with strong hate speech laws such as Germany.

CNIL has opened an inquiry into Clubhouse in response to a petition that collected over 10,000 signatures (along with an undisclosed number of direct complaints). #privacy #respectdataClick to Tweet

In addition to facing its first real wave of regulatory scrutiny and the possibility of being fined under privacy laws, Clubhouse has some strong competition coming down the pipe. There are indications that both Facebook and Twitter are building similar services.