Clubhouse vs GDPR: not all that glitters is gold


The Clubhouse phenomenon

First launched in 2021, Clubhouse is the state of the art in this type of community: since January this social network has enjoyed immense popularity in Italy and has become part of people’s lives 24/7. Its rise has been uninterrupted, and since February the number of Clubhouse installations has soared from about three million to more than 8 million.

Let’s talk about the Clubhouse phenomenon: those who log in find it hard to disconnect. Unlike other social networks, it only provides audio content but its most interesting feature lies in its exclusivity.

It is currently only available on iOS but in the coming weeks it should also land on Google Play Store for Android smartphones. Another peculiarity is that it is an invitation only app, although it is possible to pre-register and your account can be used once you are invited to join by an existing member or after one of your contacts/users decides to unblock you from the waiting list.

Clubhouse is an American social network founded in April 2020 by Paul Davison and Rohan Seth, who invested 12 million dollars in it. In the US this social network enjoys enormous popularity with several VIP subscribers using this space. One of them is, for example, Elon Musk, owner of Tesla, who hosted an audio chat on Clubhouse attracting over 5 thousand subscribers to his conversation room. Also Mark Zuckerberg made a surprise appearance on Clubhouse, just days after Elon Musk, causing platform crashes because of the high number of users who tried to access his room. In Italy it took only a few weeks for Clubhouse to achieve resounding success.


An appealing novel app

Clubhouse is a kind of interactive podcast in real time whose goal is to create a space for reflection and discussion. Each room is a thematic chat and you can choose to participate in the conversation or just listen to the other members present.

Everything revolves around the voice: there are no written messages, photos with special filters or live streaming videos. It works like a forum or a large chat room, where users have the possibility to choose which room to access depending on their personal taste and passions: music, cinema, technology, politics, health, current events and much more.

Unlike a podcast, Clubhouse is live and the conversation in the room occurs at that very moment, it lasts as long as the room is open and it is not possible to download or retrieve any chat at a later stage.

Users have the option of simply being listeners, following the various discussions, or actively taking part in them by recording their own voice. All posted audio messages cannot in any way be exported from Clubhouse: the platform, in fact, prevents them from being shared, downloaded or recorded.

The layout of the Clubhouse home is arranged quite clearly, with the suggested rooms in the foreground: as soon as you identify the section you want to enter, you get to the heart of the conversation and can immediately listen to what the registered users are saying.

We therefore wonder if Clubhouse is a rival of the radio and podcasts or it is an ally providing opportunity for interaction with the public. As things are at the moment, it is difficult to find a clear answer. What is certain is that its popularity has risen exponentially: in just twelve months since its inception, its value has already been estimated at almost a billion dollars. 


The voice as a tool for training artificial intelligence

Clubhouse has started a new trend:  simpler and more transparent, it is the first innovation in the socials appearing 5-6 years after the launch of the Instagram stories.

It reveals a spirit and an attitude open to innovation that do not belong to the social networks we already know: actually, you can hardly find a tendency to intensify the debate or to polarize on certain positions because Clubhouse’s stated aim is that of enriching visions and thoughts.

Anyone can take the floor, a possibility that is not aimed at expanding their voice; rather, listening to the speakers is functional to perfecting the application and training artificial intelligence.

When you decide to post something on Instagram, TikTok or Facebook, you have a large space for reflection in order to prevent a particular image or post from clashing with your thoughts or from revealing something that you do not want to entrust to the big machine of digital marketing. The post, therefore, tends to be skewed by what is best valued by most followers. In Clubhouse, on the other hand, thanks to the presence of a moderator, who has the ability to bring others on stage, mute and bump speakers back to the audience, it is possible to enhance the protagonists and give everyone a voice, thus ensuring the continuity of the interventions themselves. The voice is freer, there are no rethinking constraints and it  fully represents the state of mind of the speaker.

The clarity and transparency of this social network, however, are not entirely without deception: the software is able to read conversations and extrapolate their emotionality and sincerity. If we add up the frequency with which a person is on Clubhouse, the rooms entered, the type of credit they receive when they are called to speak live, the words they utter, a much more accurate human profile is outlined than to what can emerge from traditional social networks and perhaps even in a less conscious way. To date, it is possible to observe that the ubiquity of algorithms has potentially revolutionary effects both in the context of daily life and in social research. However, understanding the ways in which the algorithms operate is a decidedly complex investigation[1].


A critical issue: Failure to comply with user data

Clubhouse seems to be a privacy-oriented app, not interested in sharing texts, files, or anything else, but it focuses on listening to conversations, which are neither shared nor recorded and which are, at least in theory, immediately deleted from the app.

If we look at the privacy policy of the social network, however, we realize that Clubhouse has shortcomings from the point of view of privacy and poor protection of users’ personal data.

It is an app in beta, a non-definitive software version, so it poses numerous questions and presents also several discrepancies with respect to European legislation: there are indeed serious gaps in compliance with both the GDPR[2] and European data protection legislation.

Initial doubts are raised by the absolute lack of consent, on the basis of recital 32 of the GDPR: it is to be considered that “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her”.

On the basis of the provisions of the GDPR, when the data subject consents to the processing of their data, they do not necessarily consent to all types of processing as they can in fact give it only with regard to some types of data processing. The privacy and terms of service of Clubhouse are instead accepted with a single click, in clear violation of the principle of specificity and granularity of consent. The Clubhouse policy, on the other hand, requires the user to accept everything or be free to refuse it and therefore not access the service.

An essential step in order to proceed with the registration is the obligation to share the mobile phone book: the privacy policy speaks of voluntary sharing of the phone book data, even if in effect it is a practically mandatory step to implement the invitation system, and it is, without doubt, invasive.

A further deficiency is to be identified in the lack of identification and recognition of the rights of European citizens: the policy does not consider the rights of European citizens at all but there is only a section dedicated to the inhabitants of California and which refers to the possibility of exercising the established rights by the California Consumer Privacy Act. The data is transferred to the USA, but the guarantees that allow this transfer are not indicated: nothing is specified regarding the methods with which the data is transferred; there is no mention concerning  the adoption of  the guarantees provided for by the contractual clauses standards approved by the EU Commission, let alone whether Clubhouse has adopted those additional measures to respond to the critical issues of data transfer in the United States highlighted in the Schrems II ruling, all in open contrast to Article 13 paragraph 1 lett F) of the Regulations.

Through its platform, Clubhouse treats personal data of European citizens on a large scale and not occasionally, and therefore the failure to appoint a European representative pursuant to art. 27 GDPR is a rather serious shortcoming, especially in consideration of the success that the Clubhouse app is enjoying in Europe as well.

Furthermore, more critical issues emerge in relation to the possible sharing of personal data that Clubhouse could carry out with its affiliates without the need for prior communication to the user and, above all, without the latter having provided specific consent in this regard.

The policy statement states that the company does not sell personal data but in certain circumstances it could be shared with third parties without further notice.

Therefore the data is not sold but it can be shared in particular with their current and future affiliates. The GDPR, on the other hand, provides for art. 22 and in recital 71 a specific consent for profiling and “sharing”. Not only is this type of consent absent from the Clubhouse policy, but the acceptance button of the terms and conditions is not even distinguished from the privacy button.

Some information, even after uninstalling the account, may remain in the systems; we talk about profiling but it is not clear how, why and for what purposes, or if the bots – real artificial intelligence algorithms able to analyze and understand the language of users interacting with them – will be used to “read” conversations. After all, the business model and how it will monetize are not clear yet either.

Regarding the purpose of processing personal data, as established by art. 5 paragraph 1, lett. b) of the GDPR, personal data is “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”. Clubhouse does its utmost in its statement to identify a long list of activities, which, however, are in no way supported by any legal basis, as required by the GDPR.

Furthermore, if we look at the guarantee that the policy statement offers to users in terms of data security, we are not at all reassured: “You use the Service at your own risk. We implement commercially reasonable technical, administrative, and organizational measures to protect Personal Data “.

Therefore, anyone using the Clubhouse service does so at their own risk, as the company only adopts “commercially reasonable” technical measures for the protection of personal data.

Although Clubhouse advertises its service with a commitment not to record the conversations that are shared in streaming, things don’t really work like that. In fact, the policy states that audio sessions are recorded whenever a violation of the terms of service is reported by a user during streaming. The “temporary” registration, therefore, is kept indefinitely by the app, or until this is “reasonably necessary” for commercial or legal reasons. The regulation requires deleting the data once the aim for which that data was collected and processed has been reached, art. 5, paragraph 1, lett. e), of the GDPR. Clubhouse, on the other hand, generically establishes that it will keep the data as long as it is necessary or useful and will delete it when the longer term is reached and without any respect for the principle of purpose limitation, conservation limitation and the minimization principle.

And what about minors? What provisions are included for them? As it turns out, Clubhouse has not implemented particular minimum age verification mechanisms, with the result that anyone between the age of 14 and 18 could easily enter the app and access content dedicated to an adult audience.

It is simply stated that the service is not aimed at people under the age of 18. It also clarifies that the Company does not knowingly collect personal data from individuals under the age of 18. And if anyone has reason to believe that an individual under the age of 18 has provided personal data to the Company through the Service, it is the responsibility of those who notice it to report it to Clubhouse so as to delete that piece of information from the database. The policy is a bit sparse: perhaps in the emotional wake left by the recent TikTok[3] case, greater control would be necessary.


Fixed quota controls, will they be effective?

The lack of a clear and precise policy does not mean total absence of control. Clubhouse has started to clean up its wild environment with the possibility of using a ban, the tool that is used to prohibit access to and interaction with others in a specific room. Therefore, bursts of bans have started in the Italian rooms because the boundaries between what is allowed and what is prohibited are not clear yet. For example, an account was banned because it changed its profile picture too many times. There has been a ban for the use of inappropriate language or a ban for rooms in which unsuitable content has been part of the conversation. The ban is sent to those who have violated the system but a warning is also sent to those who have allowed the violator to enter Clubhouse.

The ban is undoubtedly a sort of protection shield but it is no use if you are mixed up about what it can defend you against or to what extent its protection can be considered effective.

Everything is recorded by the algorithm thanks to a “speech to text” system for which the audio is transcribed in semantics. There is a linguistic doubt, however: how do we make sure that they know what we are saying in Italian? Clubhouse is an application that revolves around the sound of the voice: it has therefore become necessary to study the tone of the voice to understand the emotional and health condition of a subject. Consumers are therefore not only intercepted for what they do but also for what they feel.


Unresolved questions

Is there also a biometric analysis of the audio tracks? What is the risk? Is it possible to switch from data breaches to voice breaches? Voice as such is not considered as biometric data: in the GDPR, in fact, biometric data is clearly defined as that piece of information that is the result of a technical process that, starting from ideological data, transforms it into a unique identifier of that subject to whom the voice belongs, to which the digital voice belongs rather than the pattern of the iris or the shape of the face.

So we see that a photo of the face is not considered biometric data, but the treatment represented by the pixellation and the geometric analysis of the face transforms that photo into biometric data. Biometric analysis must be carried out on the personal vocal data, because biometric data pertains to physical features and is presented as the new form of authentication.

The biggest problem lies in the analysis of how much awareness there is in the users of the fact that through the voice a large amount of information is released, thus revealing in a casual way relevant and sensitive data.


The request of the Italian Guarantor

Regulatory gaps, confusion and superficiality have led the Italian Privacy Guarantor to ask for prompt and transparent answers from Clubhouse: there is the need to see more clearly into the use made by the app of  its subscribers’ data.

There are many innovations, not only regarding the attention to algorithmic functioning, but also to marketing: Clubhouse is, in fact, the only social media whose logo changes monthly showing the face of the star of the moment. The policy must be modified in compliance with European legislation, but it must be recognized that the success of this social network has occurred because it is considered really innovative: the more exclusive it is, the greater the curiosity it arouses in users and therefore the wider the desire to be part of it. Despite the superficiality with which Clubhouse has been introduced in the world context, without taking into account the respect of rules and people’s data, in reality it is precisely the lack of profound meaning of the contents that gives way to a space for reflection and greater depth. It is undoubtedly a trend reversal: for the moment, it is worth enjoying this return to the past and to the beauty of the sound of the voice with the hope of a comprehensive response from Clubhouse to the Italian Guarantor.


[1]S. Barocas, S. Hood, M. Ziewitz, “Governing Algorithms: A Provocation Piece”, in SSRN Electronic Journal, 2013; N. Seaver, “Algorithms as culture: Some tactics for the ethnography of algorithmic systems”, in Big Data & Society, N. 4/2017.

[2]General Data Protection Regulation approved with EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 and applicable from 25 May 2018.

[3]Provision of January 22, 2021 [9524194] link

Share this article!

About Author

Leave A Reply