Privacy, the Guarantor is now investigating Clubhouse

Clubhouse seems to have grown too fast: there are many points in which it is not compatible with the European regulation for privacy.

It is the most popular social network of the moment but, despite its ever-growing fame, Clubhouse has not managed to escape the watchful eye of the Guarantor of Privacy who has requested important information on the use of members' data. For the app, in fact, there are many points to clarify about the compliance with the regulations in force in Europe.

The news of the interest in Clubhouse by the Italian Guarantor is not yet official, but the points to clarify are already known:

The necessary procedures put in place by Clubhouse to comply with the EU General Regulation for the protection of personal data (GdPR). In fact, there are several aspects still obscure about the management of information by the social network based on voice communication, also frequented by famous people such as Elon Musk or Mark Zuckerberg. Accessible only by invitation and only for users with iOS devices (at least for the time being), the app made by Alpha Exploration Company now has 15 days to clarify how it intends to comply with European privacy regulations.

Clubhouse, the key points to clarify to the Guarantor

The first point on which Clubhouse will have to shed light is, therefore, the management of user data, from storage methods to the time required for deletion from its servers. Also the access to the address book will have to be well described, given the massive use that the app makes of it during the invitation phase, as well as the possible biometric analysis of the users' voices, the main communication tool within the social network.

In particular, the normative reference to article 13 of the Gdpr would be greatly absent from the privacy policy of Clubhouse, while the only laws integrated in the documentation would refer exclusively to what is in force in the state of California. The same goes for the data Protection Officer, that is the figure responsible for data protection that is not mentioned in the documentation available to users. In suspension, there is also the question of the verification of the age of majority, another point to be clarified by the Guarantor in the coming days.

The impression, to tell the truth, is that Clubhouse has grown too fast and that it is not yet ready to face an obstacle of the (enormous) dimensions of the Gpdr.

Clubhouse, what is there to know

One of the salient points is that of the management of the address book of the contacts present on the smartphone of the registered users. Once registered, in order to take advantage of the two invitations available, the user must allow the app to access the names registered on the phone, a procedure that, according to data protection officer Johannes Caspar, head of the German branch of the commission, would violate the provisions of the GDPR.

In addition, the app would not be able to distinguish the different types of contacts in memory. This is the case reported by the researcher Alex Blanford on Twitter, who recently posted screenshots of how Clubhouse had transformed phone numbers of health centers into "mutual friends" among some users who had registered the addresses in the address book.

The same concerns appear also about the network of friends and acquaintances that, once logged into the app, becomes in fact public to all users. In fact, the name of the person who provided the invitation to Clubhouse remains visible on one's profile, making available to anyone an important piece to reconstruct the relationships with the members of the social network.

Last but not least is the transfer of data on servers in the United States. Although this is explicitly clarified in the policy, the Privacy Shield that previously allowed this operation has been cancelled with the Schrems II sentence, thus bringing to light another alleged irregularity that would add to the doubts raised by the Guarantor.