The Italian data protection authority ('Garante') announced, on 5 December 2022, its decision No. 377, as issued on 6 October 2022, in which it imposed a fine of €2 million, and issued various compliance orders, to Alpha Exploration Co. Inc., for violations of Articles 5(1)(a), 5(1)(e), 5(1)(f), 6, 7, 12(1), 13(1)(a), 14, 27(4), 28, 32, and 35 of the General Data Protection Regulation (Regulation (EU) 679/2016) ('GDPR'), following an ex officio investigation and a complaint submitted by an unknown entity.

Background to the decision

In particular, the Garante reported that it had launched an ex officio investigation following media reports that alleged the existence of various issues relating to the way in which the social network Clubhouse processed personal data. Subsequently, the Garante explained that it had also received, in February 2021, a complaint in relation to the data processing practices of Clubhouse from an unknown entity.

Separately, the Garante determined that Clubhouse was made available to the public through an app owned and operated by Alpha Exploration, a US company with no establishment in the EU.

Findings of the Garante

Further to the above, at the end of the investigation carried out, the Garante, rejecting Alpha Exploration's argument that the same did not fall within the scope of application of the GDPR, found the company in breach of:

• Articles 5(1)(a), 6, and 7 of the GDPR, for having carried out data processing activities for the purposes of marketing, recording, and sharing audio with third parties, profiling of users, and sharing of accounts information, in the absence of valid legal bases;
• Article 13 of the GDPR, for having failed to provide, until 4 August 2021, information on the processing to data subjects;
• Articles 5(1)(a) and 12(1) of the GDPR, for having provided, after 4 August 2021, information on the processing that lacked the requirements of clarity, transparency, and comprehensibility;
• Article 14 of the GDPR, for having failed to provide information on the data processing to the data subjects whose telephone numbers are included in the contact list of users who have consented to their sharing with Clubhouse;
• Articles 5(1)(e) and 13 of the GDPR, for having provided inadequate information as to the personal data retention periods;
• Article 13(1)(a) of the GDPR, for failing to provide in the privacy notice the contact details of the designated representative in the EU;
• Article 27(4) of the GDPR, for failure to designate a representative in the EU with the appropriate functions and powers;
• Article 28 of the GDPR, for failure to designate as data processors the service providers to whom personal data may be disclosed;
• Articles 5(1)(f) and 32 of the GDPR, for having implemented insufficient security measures; and
• Article 35 of the GDPR, for having failed to carry out a Data Protection Impact Assessment ('DPIA').

In light of the violations ascertained, the Garante imposed the aforementioned fine, whose amount was determined taking into account, among other things, the seriousness of the infringements, owning to the fact that Alpha Exploration operates a social network of global dimension and, as such, it has the possibility of affecting, through its processing, a significant number of natural persons.

Outcomes

In conclusion, the Garante issued a fine of €2 million and ordered Alpha Exploration to comply with the below orders, in relation to Clubhouse processing activities:

• to integrate its terms of service by including a description of specified features and the relevant safeguards in place for participating in the chat rooms;
• to include in the privacy notice information on the legal bases applicable to each specific processing purpose;
• to introduce a feature that would make it possible for users to learn whether a chat is registered before entering the relevant chat room;
• to provide for a mechanism whereby, in the event that Clubhouse sends an invitation to join the community to persons who are not yet users, whose data has been acquired from the users' telephone books, the text of the invitation includes a link to a dedicated privacy notice;
• to specify the data retention periods in the privacy notice;
• to indicate in the privacy notice the email address of the representative in the EU appointed pursuant to Article 27 of the GDPR;
• to include in the privacy notice a link to the list of data processors appointed pursuant to Article 28 of the GDPR;
• to specify, in the act appointing the representative pursuant to Article 27 of the GDPR, the representative's functions and limits;
• to carry out a DPIA; and
• to communicate to the Garante, within 30 days, the measures adopted to implement the orders.

Moreover, the Garante prohibited Alpha Exploration from any further processing of personal data for direct marketing and profiling purposes without valid consent.

Lastly, the Garante pointed out that Alpha Exploration may appeal the decision before the judicial authority.

You can read the press release here and the decision here, both only available in Italian.

UPDATE (23 January 2023)

EDPB publishes English summary of Garante's decision

The European Data Protection Board ('EDPB') published, on 20 January 2023, a summary in English of the Garante's decision to fine Alpha Exploration €2 million.

You can read the summary here.