FOMO(Fear Of Missing Out) vs. Privacy: “Clubhouse”
Does “Clubhouse” Care About Your Privacy?
Evaluation of Clubhouse’s Privacy Policy within the scope of GDPR
In this blog post, I restrict myself to analyzing just the privacy policy of the Clubhouse app from the prism of the General Data Protection Regulation (GDPR) and the E-Privacy Directive (Directive). After completing a rigorous course in Privacy and Data Protection it has become a hobby of mine to visit different websites and investigate if their privacy policies and cookie policies are in consonance with the principles of GDPR and other privacy regulations/directives. The initial aim behind this exercise was to ascertain my own understanding of the subject more than anything else, however, I found out a trend that pointed to some disturbing conclusions. The trend was that most websites’ privacy policies and cookie policies were not complying with either the spirit or the letter of the GDPR and the directive. The conclusions from this were not inescapable it either meant that even after some years of the GDPR now being in force, the real understanding of the provisions and how to comply with them is still at a nascent stage or the more disturbing conclusion that companies do not care enough about the data they take from us and are more interested in providing mere lip service to the legislations and hopefully get away from paying hefty fines!.
Newest Kid of Social Media: Clubhouse
Naturally, the chatter about the huge privacy and cybersecurity risks about the new social media sensation Clubhouse caught my attention! If the saga of Facebook and Cambridge Analytica has anything to teach us is this it is that social media/networking apps and websites are potentially the riskiest when it comes to privacy and data protection issues.
For the uninitiated, Clubhouse is the newest kid on the block of social media and networking apps and has seen a meteoric rise in its popularity and usage. In my opinion and understanding, the popularity of the app can be ascertained to two very distinct reasons.
First, it managed to very successfully use social engineering and leveraged the Fear of Missing Out colloquially known as FOMO by making the app ‘Invite only’ and second, it did offer something very unique in terms of its features which is that unlike Facebook and Whatsapp, the app is audio-only and this is allowing people to not only network in a very unique way but also use the app as a brand-building tool, not to mention that the app boasts of celebrity users such as Oprah Winfrey to boot!.
This combination of offering exclusive access and a very unique audio-only usage drove this app very high on the popularity list.
In view of the background mentioned above and the discussion about the lax cybersecurity measures of the app, I had no great expectations when I started reading Clubhouse’s Privacy Policy however I have no hesitation in admitting that I was totally taken aback by the extent of noncompliance with the GDPR provisions. The subsequent section of the blog identifies the concerning parts of the privacy policy along with my explanation of why the said part is contrary to the provisions of the GDPR.
Security Concerns: Clubhouse’s Privacy Policy
(Evaluation of Clubhouse’s Privacy Policy within the scope of GDPR)
- “By visiting Clubhouse’s website(s) and all other products, services and applications made available by Clubhouse from time to time (collectively, the “Services”), you acknowledge that you accept the practices and policies outlined in this Privacy Policy. By using the Services, you are consenting to have your personal data transferred to and processed in the United States.”
This is part of the first paragraph of the Privacy Policy of the Clubhouse app and it immediately raises a big red flag when seen in the context of Data Processing under the GDPR and the E-Privacy Directive. Calling it just a big red flag is admittedly an understatement on my part and this is because here the app has not just managed to breach a single article of the GDPR but an entire Chapter. Chapter 5 of the GDPR clearly deals with the various situations in which data can be processed or transferred outside the EU and in this case the United States. Long story short, Articles 45, 46, 47, and 49 basically provide the framework of how data can be transferred outside the territory of the EU. The basic premise behind this chapter is that data can be transferred outside the EU if and only if it is ascertained that the third country has an adequate level of protection. The striking down of the EU-US Privacy Shield in Schrems II is based on the adequacy principle discussed in this chapter.
It is very interesting albeit quite disturbing as well to note that Clubhouse manages to completely ignore everything present in Chapter 5 of the GDPR in the very first paragraph of its privacy policy.
2. “Individuals from the European Union (“EU”) may only use our Services after providing your freely given, informed consent for Clubhouse to collect, transfer, store, and share your Personal Data, as that term is defined in the EU’s General Data Protection Regulation.”
In the very next paragraph, the Privacy Policy of Clubhouse seems to completely ignore the provisions of Article 5 (1) (b and c) of the GDPR which provides that specific and explicit purpose for which the data is being processed needs to be mentioned and in line with the principle of data minimization only that amount of data should be processed which is required for the purpose. From the text it is amply clear that the wording has been deliberately drafted vaguely, it is not clear for what purposes the consent for the processing of data is being collected and further, it is also not taking clear consent for such processing because the consent is not being freely taken, the wording clearly says “individuals from the EU may only use services…” a plethora of judgments exist on this issue wherein the Court has very strictly interpreted Article 7(4) of the GDPR to state that consent is freely given only when the provision of a service is not conditionally dependent on providing of consent.
The explanation is that if a service is being denied to users if they don’t consent to the processing of their personal data, such consent cannot be taken to construe a “valid consent”. The Privacy Policy clearly fails to take free consent for the processing of personal data.
3. “Certain information that is collected automatically, such as device ID, IP address and phone number, and browsing information that is associated with a user will be treated as Personal Information.”
Prima facie the wording is such that it in no uncertain terms accepts that users are subject to automatic collection and processing of personal data and as such, this clearly attracts the application of Article 22(1) of the GDPR which states that, “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling… or similarly significantly affects him or her”.
The Privacy Policy fails to acknowledge this right of the data subject to choose to not subject himself or herself to this automatic processing of data.
In addition to the aforesaid, Clubhouse also accepts that data may be vulnerable to external attacks and accepts no liability for the same.
JOMO (Joy of Missing Out) The Mantra Anyone Who Cares About Their Privacy Should Adopt When Using Clubhouse
Keeping this context in hindsight while I accept that Clubhouse really offers a very unique service and may be really beneficial to new businesses by helping them make a brand name of themselves, it is a nightmare in terms of privacy risks. Therefore keeping in context the various risks, it may be advisable to resist the fear of missing out and the bandwagon effect and instead adopt the Joy of Missing out when it comes to using Clubhouse, an app which prima facie has no concerns about protecting personal data or breaching GDPR principles!
