In this blog post I analyse the privacy policy[1] of the Clubhouse app from the prism of the General Data Protection Regulation (GDPR)[2] and the E-Privacy directive (Directive).[3] After completing a rigorous course in Privacy and Data Protection it has become a hobby of mine to examine whether the privacy and cookie policies of different websites are in consonance with the principles of GDPR and other privacy regulations/directives. The initial aim behind this exercise was to ascertain my own understanding of the subject more than anything else, however soon I found out a disturbing trend. The trend was that most websites’ privacy and cookie policies were not complying with either the spirit or the letter of the GDPR and the Directive. It either means that even after some years of the GDPR now being in force, the real understanding of the provisions and how to comply with them is still at a nascent stage or the more disturbing conclusion that companies do not care enough about the personal data they process and are more interested in providing a mere lip service to the legislations and hopefully limit their liability.

Naturally the chatter about the huge privacy and cybersecurity risks about the new social media sensation Clubhouse caught my attention. For the uninitiated, Clubhouse is the newest kid on the block of social media and networking apps and has seen meteoric rise in its popularity and usage.

This combination of offering exclusive access and a very unique audio only usage drove this app very high on the popularity list. I had no great expectations when I started reading Clubhouse’s Privacy Policy however I have no hesitation in admitting that I was totally taken aback by the extent of noncompliance with the GDPR provisions. The subsequent section of the blog identifies the concerning parts of the privacy policy along with my explanation of why the said part is contrary to the provisions of the GDPR.

“By visiting Clubhouse’s website(s) and all other products, services and applications made available by Clubhouse from time to time (collectively, the “Services”), you acknowledge that you accept the practices and policies outlined in this Privacy Policy. By using the Services, you are consenting to have your personal data transferred to and processed in the United States.”

This is part of the first paragraph of the Privacy Policy of Clubhouse app and it immediately raises a big red flag when seen in context of Data Processing under the GDPR and the E-Privacy Directive. Calling it just a big red flag is admittedly an understatement, this is because here the app has not just managed to breach a single article of the GDPR but an entire Chapter. Chapter 5 of the GDPR clearly deals with the various situations in which data can be processed or transferred outside the EU and in this case the United States. Long story short, Articles 45, 46, 47 and 49 basically provide the framework of how data can be transferred outside the territory of EU. The basic premise behind this chapter is that data can be transferred outside the EU if and only if it is ascertained that the third country has an adequate level of protection. The striking down of the EU-US Privacy shield in Schrems II is based on the adequacy principle discussed in this chapter.  It is very interesting albeit quite disturbing as well to note that Clubhouse manages to completely ignore everything present in Chapter 5 of the GDPR in the very first paragraph of its privacy policy.

 “Individuals from the European Union (“EU”) may only use our Services after providing your freely given, informed consent for Clubhouse to collect, transfer, store, and share your Personal Data, as that term is defined in the EU’s General Data Protection Regulation.”

In the very next paragraph, the Privacy Policy of Clubhouse seems to completely ignore the provisions of Article 5 (1) (b and c) of the GDPR which provides that specific and explicit purpose for which the data is being processed needs to be mentioned and in line with the principle of data minimization only that amount of data should be processed which is required for the purpose. From the text it is amply clear that the wording has been deliberately drafted vaguely,  it is not clear for what purposes the consent for processing of Data is being collected and further it is also  not taking a clear consent for such processing because the consent is not being freely taken, the wording clearly  says “individuals  from the  EU may only use services…” a plethora of judgments exist on this issue wherein the  Court have very  strictly interpreted Article 7(4) of the GDPR to state that consent is freely given only when the provision of a service is not conditionally dependent on providing of consent. The explanation is that if a service is being denied to users if they don’t consent to the processing of their personal data, such a consent cannot be taken to construe a “valid consent”. The Privacy Policy clearly fails to take free consent for the processing of personal data.

“Certain information that is collected automatically, such as device ID, IP address and phone number, and browsing information that is associated with a user will be treated as Personal Information.”

Prima facie the wording is such that it in no uncertain terms accepts that users are subject to automatic collection and processing of personal data and as such this clearly attracts the application of Article 22(1)[4] of the GDPR. The Privacy Policy fails to acknowledge this right of the data subject to choose to not subject himself or herself to this automatic processing of data. In addition to the aforesaid, Clubhouse also accepts that data may be vulnerable to external attacks and accepts no liability for the same.  

While Clubhouse really offers a very unique service and may be really beneficial to new businesses by helping them make a brand name of themselves, it is a nightmare in terms of privacy risks. Therefore keeping in context the various risks, it may be advisable to resist the fear of missing out and the bandwagon effect and instead adopt the joy of missing out when it comes to using Clubhouse, an app which prima facie has no concerns about protecting personal data or breaching GDPR principles!

[1] The Privacy Policy of  Clubhouse  app can be accessed at <https://clubhouse.io/privacy/> accessed on 20 March 2021

[2] The General Data  Protection Regulation can be  accessed at < https://gdpr-info.eu/> accessed on 20 March 2021

[3]The E-Privacy Directive can be accessed at<https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058>  accessed on 20 March 2021

[4] Article 22(1) of the GDPR reads as “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling… or similarly significantly affects him or her”.