Clubhouse: safe to use, or instant data breach?

Heard of Clubhouse? It’s an audio-only social networking app, and it has a privacy problem.

Earlier this month, their personal data practices caught the attention of CNIL, the French privacy authority, which opened an investigation (link in French only). Expect more investigations to follow across the EU, the UK, and Canada.

Seeing this negative attention directed at the app, I got to thinking: what about the app user’s responsibilities? Are their employers committing a data breach when they share address books with the app?

Clever marketing, bound to cause complaints

Clubhouse asks every user to hand over their phone’s address book. The user is free to refuse, of course, but then the app’s best features won’t work. For example, if you don’t share your contacts, you can’t invite your friends to use the app.

It’s a clever use of an age-old marketing strategy. First, create a contrived sense of exclusivity. Use that to play on our natural FOMO (fear of missing out). Then restrict access to the party until we flash you some skin. (In the social media age, replace “some skin” with “oodles of personal data about us and our contacts” and you get the picture.)

It’s a good bet most users share their contacts. Clubhouse uses this data for a variety of purposes, including sorting out who might already know whom. That helps them suggest new connections to app users.

It was just a matter of time before someone complained.

Is using Clubhouse a data breach?

If you own or manage a business, you might want to ask: do your people keep Clubhouse and business contacts on the same phones? If yes, then they are probably handing personal data from your business to Clubhouse.

If that’s happening, it’s probably a data breach by your business, even if the employee is using their own phone.

It doesn’t matter who owns the device. Names and contact details are personal data. Privacy law such as GDPR and PIPEDA require each business to protect the personal data it uses for business.

Singling out Clubhouse is probably unfair

Though Clubhouse is getting negative attention, they are hardly the only data-hoovering app out there. The problem for businesses can go much deeper.

Think about how many apps a typical smartphone has. Take out your own phone. Look at each app. Ask yourself what data it can access on (or through) your device, who it gives that data to, and how you know it’s safe in their hands.

If your people give your business data improperly to an app, that’s your data breach. If the app itself has a personal data breach, it can be just as much your problem as the app’s.

Data and apps governance

How do you avoid this? With good IT, cybersecurity, and data governance processes.

In plain English, start with a few questions before anyone installs an app on a device they use for work:

  • what does this app do?
  • what data does it collect?
  • are we legally responsible for that data?
  • where is it stored it and is it secured properly?
  • who runs this app?
  • who are they going to share the data with?
  • how are they planning to use it?
  • what does our contract with them say about data?
  • (do we even have a contract with them!?)
  • forget the contract – who is this supplier, and can we trust them to handle personal data about our employees, customers, and suppliers?

Trevor Fenton, LLB, CIPP/E, practises UK and Canadian privacy and business law at Scottish law firm Plain English Law.

Back to top