The Data Protection Authority in France has launched a probe into social chat app Clubhouse to verify compliance with the General Data Protection Regulation (GDPR), marking a second questioning of the company’s practices by European authorities.
Commission nationale de l’informatique et des libertés (CNIL) is acting after a petition with more than 10,000 signatures alerted it to possible breaches of privacy by the audio-only app. Participation is through virtual lounges and by invitation.
CNIL says it has contacted Clubhouse’s parent company Alpha Exploration about measures taken to comply with the GDPR.
Also, European authorities are communicating with each other to exchange information and ensure consistent application of the GDPR, the French DPA added.
“The investigation should confirm that the GDPR is applicable to the company and determine if it is ignored. If it were confirmed that the application published by this company does not comply with the GDPR, the CNIL may, if necessary, use its own repressive powers,” it said.
In early February, Hamburg’s DPA announced it had “sent a catalogue of questions” to Clubhouse’s operators in California to check compliance with European data protection law.
Matters of concern the German body highlighted included address books in mobile devices of users who invite other people are automatically stored by Clubhouse.
“As a result, contact data of numerous people, without them even coming into contact with the app, ends up in foreign hands, where they can then be used for purposes of advertising or contact requests,” the Hamburg DPA said.
Meanwhile, the French petition reportedly states: “We call for an immediate and full investigation of any violations by Clubhouse of our privacy laws, with maximum penalties imposed if Clubhouse’s operations are found to be illegal.”
After referring to Hamburg’s action, the petitioners state: “Now we need regulators in other countries to follow suit and put pressure on Clubhouse … It is also an opportunity to send a strong message to the tech giants: our data is ours and no one else’s.”
In a privacy policy updated 5 March Clubhouse said it may use address book contacts to notify other users if their contacts are members or have just joined, while newcomers may be notified of existing contacts who are Clubhouse members.
The company updated its privacy policies and encryption practices after the Stanford Internet Observatory in the US warned in February the app contained security flaws which left users’ data at risk of being accessed by the China’s authorities.
Chinese tech firm Agora supplies back-end infrastructure to Clubhouse. Agora is subject to China’s national security laws and would be required to assist the Chinese government if it deemed an audio recording jeopardised national security.
At the time Agora reportedly said it does not have access to or store personal data and does not route through China voice or video traffic generated from users outside China.
GRC World Forums has contacted Clubhouse for comment.
PrivSec Global, a live streaming event, takes place on 23-25 March featuring more than 200 speakers and 64 sessions on privacy, data protection and cyber-security.
No comments yet