Clubhouse: another case of "popularity leads to trouble"?

Coauthor Malu Westdorp

For example, the privacy terms raise a lot of questions and reports have already surfaced that users' data are not only stored in the U.S., where the parent company Alpha Exploration Co., Inc. is located, but are also stored on servers in China. However, such flaws do not seem to stop its popularity for now.

1. What goes wrong?

1.1 Applicability of the AVG

It is unclear whether Clubhouse assumes the applicability of the General Data Protection Regulation. Indeed, its privacy terms and conditions do mention additional rights based on California law, but there is no mention of the AVG. Based on the territoriality provision of the AVG, however, it follows that there is applicability. Indeed, via Article 3(2) AVG, the AVG fully applies to parties located outside the Union who:

• Offer goods and services in the Union; or

• Monitor behavior of Union stakeholders.

In the case of Clubhouse, both (a) and (b) are involved. After all, offering the app an sich can be seen as offering a service. However, according to the Privacy Policy, Clubhouse also uses online tracking techniques such as cookies and device fingerprinting.(1) According to the EDPB, these kinds of techniques are considered monitoring activities. Incidentally, the WP29 - predecessor to the EDPB - called techniques such as device fingerprinting a serious threat to the protection of personal data.

Organizations covered by Article 3(2) AVG are required to appoint a representative in the Union. Thus, a non-Union-based controller or processor that is subject to the AVG but does not designate a representative in the Union violates the regulation. It is unclear whether Clubhouse has a Union representative.

1.2 Storage in the US and China

Since Clubhouse is located in the US, personal data is collected there. In addition, users' data were stored on servers in China. This was done without allegedly taking additional measures to protect that personal data from anomalous legal protection. This is all the more objectionable since the European Court of Justice ruled only last year that additional measures were required to justify a transfer at all, and the U.S. and China are countries that are more often under fire in terms of appropriate data protection laws. The Schrems II case dealt specifically with U.S. data protection law.

1.3 Minors

Like TikTok, Clubhouse seems to make the mistake of not properly checking whether minors are using the app.(2) Despite the fact that the terms and conditions state that the app should not be used by minors, it is possible to sign up without too much trouble.

Incidentally, Clubhouse does not appear to be (fully) compliant with the AVG in other respects as well. For example, it is unclear how long certain data is kept. In addition, user contacts are collected if the user gives permission. However, the question is whether that consent meets the requirements of the AVG: colors and large text blocks lure the user into "consent," so to speak. That doesn't exactly sound free. On top of that, that contact person has no influence on this at all.

2. Enforcement options

Increasingly, we see apps or online tools gaining popularity first and only then start looking at relevant legislation that applies to them. Many users seem unimpressed by unlawful processing and investigations by authorities. If at all. To what extent can users still be protected from apps like Clubhouse?

2.1 Organization not based in EU: free play for regulators

An organization operating from outside the EU and without a representative on EU territory can be addressed or investigated by all member states individually under privacy law. A number of European regulators appear to have already taken advantage of this with respect to Clubhouse; the Belgian GBA previously announced that it wants to investigate Clubhouse's practices.(3) The Hamburg regulator has also questioned Alpha Exploration Co. The French CNIL announced its intention to launch an investigation. The French authority says it wants to investigate whether the AVG applies.(4)

2.2 Organization based in EU

Should an organization such as Clubhouse do have an establishment the in the EU, it is in principle up to the supervisor of that country where the organization's headquarters is located. Organizations without an establishment, but with a representative, do not benefit from the one-stop-shop regime: they have to deal, through their representatives, with local regulators in each member state in which they operate. Ireland and Luxembourg are popular countries for large tech companies. On the one hand, it could be argued that these regulators are adept at investigating similar companies. On the other hand, the capacity of authorities in countries such as Ireland may prevent timely investigations and enforcement.(5) We also see this with the Dutch Autoriteit Persoonsgegevens (AP).(6)

Such capacity issues increasingly lead to questions about the ability of regulators to enforce the AVG. However, there are other options.

• Consumer organizations

Consumer organizations can also play a role in drawing attention to possible breaches of privacy laws and regulations. Just recently, the European consumer organization "BEUC" filed a complaint with the European Commission about TikTok's handling of personal data.(7) The complaint about TikTok was filed under Article 27 of Regulation 2017/2394 on cooperation between national authorities responsible for the enforcement of consumer protection laws. The AVG is not included in this regulation. However, the complaint about TikTok related not only to the AVG, but also to violations of other consumer regulations. In this case, the complaint should lead to (national) authorities taking action.

Perhaps the Digital Markets Act could bring some more wiggle room in this as well, once the European authorities have agreed on the distribution of power.(8)

• Complaints from stakeholders

Data subjects can also report to the AP (or another regulator in another member state). A distinction should be made between a tip and a complaint. A tip can be made at any time, but then no response is given by the AP whether any action is taken on the basis of that tip. For a complaint, personal data of the complainant is actually processed if it is suspected that the organization is not complying with required protective measures. Despite the fact that the AP can launch investigations in response to complaints, and in that sense it can be an effective tool, there are also thresholds. One such barrier is that the AP does expect the data subject to first contact the organization in question himself. Another barrier is that the AP's current capacity appears insufficient to handle all incoming complaints.(9) The AP indicates that the average waiting time per complaint is currently six months.

• Mass claims

Another option is the emergence of mass claims. In the case of a large-scale breach involving many people for which "an impairment to the person" may apply, it is quite conceivable that a mass claim could be initiated on behalf of injured parties, for example on the basis of the Law on Settlement of Mass Damages in Collective Action (WAMCA) that came into force on January 1, 2020. Admittedly, such proceedings may be seen as "buying off mistakes," but on the other hand, money may well provide an incentive for organizations to accelerate the path to compliance.

3. Enforcement versus awareness

The question is whether users of popular apps like Clubhouse are aware of the privacy risks. The rapid increase in the number of users may indicate that users are unaware of the risks. It may also be that they accept these risks. For example, the alleged violations of TikTok did not (directly) lead to a decrease in the number of new users.(10) A distinction can also be made between the use of social media apps in a social context and its dangers, on the one hand, and the privacy risks posed by their use with respect to the organizations behind the apps that collect all kinds of data from you in this way, on the other. The latter in particular is less visible to those involved.

The aforementioned enforcement mechanisms refer to the situation where a person involved or an interest group has initiated an action itself. However, in addition to this, a (part of the) solution may possibly be found in raising awareness. There is no law or regulation indicating who is responsible for making citizens more aware of privacy risks.

For example, the AP, the Consumer Association and Rijksoverheid do try to contribute to this. For example, the AP's website contains a number of awareness campaigns. The Consumers' Association also has a page dedicated to it.(11) Rijksoverheid also has an awareness campaign planned.

The campaign aims to:

• Increase privacy awareness among citizens;

• Enhance the prospects for action;

• Strengthen standards.

With regard to awareness, it is specifically mentioned that it involves awareness regarding the use of digital applications. Also, in the context of awareness, the curriculum for primary and secondary education is being adjusted. In February, (outgoing) Minister Dekker announced that the government's Horizontal Privacy campaign has been postponed until 2022 due to the corona crisis. Regarding public campaigns, the government is now focusing particularly on topics related to the corona crisis. Especially with people spending most of their time digitally and an increase in social media use as a direct result of the corona crisis, we believe it would be a great opportunity to implement the campaign now.(12)

In conclusion

So there are multiple routes to enforcement, which could perhaps be used in a blended form to ultimately both get tech platforms in line with the AVG while making consumers more aware of online risks. Ultimately, this could lead to a better balance between tech platforms and its users. However, such a movement will take some time, we expect.