France’s privacy watchdog probes Clubhouse after complaint and petition
Clubhouse, the buzzy but still invite only social audio app that's popular with the Silicon Valley technorati, is being investigated by France's privacy watchdog.
The CNIL announced today it's opened an investigation into Clubhouse following a complaint and after it got some initial responses back from Alpha Exploration Co., the U.S.-based company behind the app.
It also points to a petition that's circulating in France with over 10,000 signatures - calling for regulatory intervention.
The regulator says it's confirmed that Clubhouse's owner is not established anywhere in the European Union - which means the app can be investigated by any EU DPA that receives a complaint or has its own concerns about EU citizens' data.
Last month the Hamburg privacy regulator also raised concerns over Clubhouse, saying they'd asked the app for more information on how it protects the privacy of European users and their contacts.
In the EU, cross border data protection cases involving tech giants typically avoid this scenario as the General Data Protection Regulation (GDPR) includes a mechanism that funnels complaints via a lead data supervisor - aka the national agency where the business is established in the EU.
This one-stop-shop' (OSS) already has had the effect of slowing down GDPR enforcement against giants like Facebook, which have established their regional HQ in Ireland. But there is a further risk of a regulatory moat effect that benefits big tech' if the OSS is combined with swifter unilateral privacy enforcement against newcomers like Clubhouse (which currently fall outside the OSS).
France's watchdog has certainly demonstrated a willingness to move fast and enforce the rules against tech giants like Google and Amazon when unencumbered by the OSS - recently issuing fines over cookie consent issues in excess of $160M, for example. It also hit Google with a GDPR fine of $57M in 2019 before the tech giant moved the jurisdiction of regional users to Ireland.
So there's no reason why the CNIL won't show similar alacrity in its probe of Clubhouse. (Although in its press note today it does write that European DPAs are communicating with each other on this matter, in order to exchange information and ensure consistent application of the GDPR".)
Privacy concerns that have been attached to Clubhouse include that it uploads users' phone book contacts - using the harvested phone numbers to build a usage graph so it can display how many friends' a non-user has on the service at the point when the user is being asked to select which of their contacts to invite to the service.
The petition to CNIL also claims Clubhouse's secret database" of users' contacts may be sold to third parties.
For years, lawmakers have not dared to attack Facebook for sucking up our data. Our democracies are paying a heavy price today," the authors of the petition also write. Clubhouse hopes we haven't learned anything from Facebook's methods and that its questionable practices will go unnoticed. But the German privacy agency has already accused the company of violating EU law. Now we need regulators in other countries to follow suit and put pressure on Clubhouse.
If thousands of you ask the CNIL to enforce the law, we can put an end to this blatant violation of our private lives. It is also an opportunity to send a strong message to the tech giants: our data is ours and no one else's."
In its privacy policy, Clubhouses owner writes that the Company does not sell your Personal Data" - but does list a wide ranging number of reasons why it may share" user data with third parties, including for advertising and marketing services", among many other listed reasons.
Clubhouse has been contacted for comment.
Report: Social audio app Clubhouse has topped 8 million global downloads
A race to reverse-engineer Clubhouse raises security concerns