Alpha Exploration, the US provider of the audio chat app Clubhouse, has been fined $2.1 million for failing to comply with the General Data Protection Regulation (GDPR) in a number of areas.

On December 5, the Italian data protection authority discovered a slew of violations of user privacy in their social media app.

Especially during the initial stages of the corona pandemic, Clubhouse gained popularity as a virtual gathering place for audio communications. However, the app's initial excitement quickly subsided.

Read more about this topic on the Politico website.

Clubhouse Data Breaches

The Authority discovered a number of violations, including:

• Lack of transparency regarding the use of users' and their "friends'" data
• Users' ability to store and share audio without the consent of registered individuals
• Profiling and sharing of account information without offering an appropriate legal basis
• Unlimited retention periods for recordings made by the social network

The Alpha Exploration company has also been forbidden from processing information for marketing and profiling without particular consent and will need to take a number of steps to comply with GDPR.

The application was also given a preliminary review by German data protection officers in February 2021 - they were skeptical about the company’s data management with regard to address books and audio recordings.

Italy’s Requirements for the Clubhouse App to Be GDPR Compliant

Clubhouse is accessible to the general public through an app run by the US business Alpha Exploration and is based solely on voice interactions that take place in conversation rooms. Users have the option of starting their own topic room or listening in on someone else's. 

Since January 2022, they have also been able to record conversations and share those recordings with others.

After a lengthy preliminary inquiry sparked by the Guarantor, Alpha Exploration was instructed to initiate a number of user protection measures.

In particular, the business will need to include a function that enables users to be made aware of the likelihood of the chat being recorded before joining the conversation room, and to add a way to notify individuals who are not yet users that their personal data will be used.

The business will also need to incorporate information stating which legal basis applies to each purpose of processing data, the duration of data retention for both personal data and audio files, and any necessary details regarding the "appointed representative". 

This is a role that the GDPR mandates for any business that provides services to EU citizens - or processes their personal data - even when they don’t have an office in one of the EU member states.

Last but not least, Alpha Exploration will need to evaluate the impact of the data processing done via the Clubhouse platform.