Garante per la protezione dei dati personali (Italy) - 9828901

From GDPRhub
Garante per la protezione dei dati personali - 9828901
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 3(2)(a) GDPR
Article 5(1)(a) GDPR
Article 5(1)(e) GDPR
Article 5(1)(f) GDPR
Article 6 GDPR
Article 7 GDPR
Article 12(1) GDPR
Article 13 GDPR
Article 13(1)(a) GDPR
Article 14 GDPR
Article 27(4) GDPR
Article 32 GDPR
Article 35(3)(a) GDPR
Article 58(2)(d) GDPR
Article 58(2)(f) GDPR
Type: Investigation
Outcome: Violation Found
Started: 05.02.2021
Decided: 06.10.2022
Published: 05.12.2022
Fine: 2,000,000.00 EUR
Parties: Alpha Exploration Co. Inc.
National Case Number/Name: 9828901
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: cmart

The Italian DPA fined Alpha Exploration €2,000,000 for operating the Clubhouse social network in violation of the GDPR provisions on lawfulness and transparency, for failing to assess the risks arising from the processing and for appointing an EU representative without the required mandate to act on behalf of the controller.

English Summary

Facts

Since 2020, the US company Alpha Exploration Co. Inc. (the controller), has offered and operated the social network Clubhouse. The social network is based exclusively on voice interactions that take place in conversation rooms. Users can choose to open a thematic room or enter another person's room as a listener. From January 2022, using the platform's new features Clips & Replays, users can (i) store and record also part of the conversations on the platform and (ii) share the same recordings with third parties. On the basis of profiling activities, Clubhouse allows other users to find people who may have a common interest or connection. In addition, Clubhouse collects contact data from the address book of its users' devices. This collection would allow users to connect with people they know, and to invite friends to join them on Clubhouse.

Following press reports that revealed the existence of several problems with the way personal data were processed by the controller, the Italian DPA opened an ex officio investigation. The DPA also received a report highlighting a number of critical issues of Clubhouse relating to security, the exercise of data subjects’ rights, the lack of an EU representative, profiling activities, and the retention of personal data. On the basis of the information gathered, the DPA informed the controller a number of violations that the DPA had found following a first assessment on the matter.

Holding

The DPA started by considering whether it was competent to make a decision regarding the controller's processing activities. The DPA considered that the conditions for applicability of the GDPR set out in Article 3(2)(a) GDPR were met since the controller offered its services to data subjects in the EU. The DPA claimed jurisdiction on the basis of Article 55(1) GDPR because Clubhouse (i) was operated by a company that had no establishment in the EU and (ii) constituted cross-border processing of personal data within the meaning of Article 4(1)(23) GDPR because it affected data subjects in more than one Member State.

Following the closure of the investigation, the DPA considered that the controller committed the following violations in the context of the provision of the Clubhouse service. The DPA found a violation of Articles 5(1)(a), 6 and 7 GDPR for processing carried out for the purposes of marketing, profiling, profile sharing, and audio recording in the absence of an appropriate legal basis.

With regard to processing carried out for marketing purposes, despite what the controller had stated, there was a reference in the privacy policy to the direct marketing purpose for which consent was collected on the basis of an 'opt-out' mechanism. Therefore, the DPA declared that such processing was unlawful because it was carried out on the basis of an implicit consent mechanism, which was not in line with the conditions for valid consent set out in Article 7 GDPR.

With regard to the processing carried out by means of the Clips & Replays function, on the basis of allegedly being necessary for the performance of a contract, the DPA indicated that the terms of service needed to be updated to make the processing more transparent. Indeed, the terms of service did not mention the Clips & Replays function.

According to the terms of service, Clubhouse would indiscriminately record every conversation in every room on the basis of its legitimate interest in 'monitoring' possible violations of its guidelines. The DPA declared this processing unlawful because it was carried out in the absence of an appropriate legal basis under Article 6 GDPR. Contrary to the controller's contention, the processing could not be justified on the basis of legitimate interest because it would have entailed widespread and pervasive monitoring, and thus be disproportionate.

The DPA also declared unlawful the processing for profiling purposes, justified by the controller with the need to execute the contract. According to the DPA, the user would in fact have been able to use the service even without submitting any information in addition to that required for the creation of the account and without allowing the controller to carry out further processing regarding the manner of their interactions with the platform.

Finally, the DPA noted that the privacy policy disclosed that personal data of users is processed both for the provision of the service as well as for the purpose of developing and improving Clubhouse products. The legal basis for processing would reside in the legitimate interest of the controller. In this regard, the DPA observed that, in the absence of further specifications, if the processing involved profiling operations, it would appear to be entirely identical to the processing, discussed above, aimed at providing the service to the data subject and, in such a case, would also be unlawful in the lack of a valid legal basis.

The DPA established a violation of Article 13 GDPR in that the controller did not provide, until 4 August 2021, information about the processing, and a violation of Articles 5(1)(a) and 12(1) GDPR, for having rendered, after 4 August 2021, a privacy notice lacking the requirements of clarity, transparency and comprehensibility.

The DPA also found a violation of Article 14 GDPR because the controller failed to provide non-users with information on the processing of their telephone numbers in the event that the user decided to synchronise their contacts on the Clubhouse platform. The DPA instructed the controller to include a link to a specific policy in the text of any invitation sent to non-users to join the community.

The DPA also confirmed that Articles 5(1)(e) and 13 GDPR had been infringed because the controller did not provide sufficient information about the data retention periods for the specific purposes pursued. According to the DPA, it was also unclear that the audio files created with the Clips & Replays function would be retained until the possible termination of the account by the user who generated them, unless the user requested their deletion.

With regard to the representative in the EU appointed by the controller, the DPA established a breach of Article 13(1)(a) GDPR for not having duly indicated the representative's contact details. The representative is not a mediator or facilitator but, as specified in Recital 80 GDPR, the person who acts on behalf of the controller with regard to the GDPR obligations. The DPA held that the role of the representative was too ambigious byt not indicating that it actually had the mandate to act on behalf of the controller, violating Article 27(4) GDPR.

The DPA confirmed that the controller violated Article 35 GDPR for not having carried out a DPIA despite the fact that the processing activities performed fell within the types of processing that require an impact assessment, given that they took the form of profiling users on the basis of their preferences and that the data processed could also include those of minors.

In conclusion, the DPA imposed a series of corrective measures on the controller, pursuant to Article 58(2)(d) GDPR, ordering the controller to bring its processing activities in line with the GDPR. The DPA also imposed an administrative fine of €2,000,000 on the controller for the violation of multiple GDPR provisions, as discussed above.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE ALSO Press release of 5 December 2022

[doc. web no. 9828901]
Injunction Order Against Alpha Exploration Co. Inc. - October 6, 2022
Register of measures
no. 377 of 6 October 2022
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei, general secretary;
HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter "Regulation");
HAVING REGARD TO the Code regarding the protection of personal data (legislative decree 30 June 2003, n. 196), as amended by legislative decree 10 August 2018, n. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the "Code");
CONSIDERING the Regulation n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Gazette no. 106 of 8 May 2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter "Regulation of the Guarantor n. 1/2019");
HAVING REGARD to the documentation in the deeds;
HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;
SPEAKER the lawyer Guido Scorza;
WHEREAS
1. INTRODUCTION
The proceeding originates from a complex preliminary investigation launched ex officio following press reports which revealed the existence of various problems relating to the methods of processing personal data put in place by the Clubhouse social network.
On 19 February 2021, the Office also received a report from the XX, which underlined a series of critical issues of the Clubhouse relating to security profiles, exercise of rights, lack of a representative in the European Union, profiling activities , retention of personal data (file n. XX).
Clubhouse is a social network based exclusively on vocal interactions that take place in conversation rooms called rooms, available to the public via a mobile application (hereinafter the "App") released in its first version in March 2020 for the Android system and in September of the same year for the iOS environment.
The App is operated by a US company, Alpha Exploration Co. Inc. (hereinafter “Alpha Exploration” or the “Company”), located at 548 Market Street PMB 72878, San Francisco, California 94104, USA. The Company is not established in any Member State of the European Union.
2. INVESTIGATION ACTIVITY
With a note dated 5 February 2021 (prot. 7464/21) the Guarantor sent a request for information to the Company, owner and manager of the social network, renewed request, with traditional shipping methods with a view to maximum protection of the party, with note of 25 February 2021 (prot. 11378/21).
The Company responded to the request for information with a communication dated 8 March 2021 (prot. 12877/21) in which, on a preliminary basis, it claimed the absence of Italian jurisdiction, given that:
- the processing operations connected to the social networking activity put in place by Clubhouse would not fall within the scope of the art. 3, par. 2, lit. a), of the Regulation as the Company would not have had, at least originally, the intention of offering its services in the European Union; elements to the contrary could not be inferred from the mere fact that the App was freely available for download in the stores of the two main operating systems for mobile devices; the Company would never have promoted advertising or marketing campaigns in the European Union.
- On the merits, the Company reported the following:
- in relation to the absence of the information pursuant to art. 13 of the Regulation in the privacy policy, this deficiency would be attributable to the company's choice to offer its services only in the United States of America but, considering the great expansion of the App also in Europe, the information was subsequently implemented in a GDPR compliant;
- with regard to the legal bases of the processing, no assessment would have been made in this regard since the Company was not considered subject to the Regulation; however, a mandate would have been given to a law firm to examine the matter and, probably, the legal bases would have been the execution of the contract and the legitimate interest of the owner and, if deemed necessary, the consent of the interested party;
- as for the purposes of the processing, there would be three purposes pursued: 1) execution of the contract as outlined in the terms of service, including the activity of suggesting content based on the user's interests; 2) resolution of the CDs. incidents (e.g. bullying, harassment, age verification); 3) improvement of the service, implementation of new features and fulfillment of legal obligations;
- regarding the recipients or categories of recipients of the personal data, the information of a personal nature would be shared with service providers, to be identified as data controllers, including audio streaming software, sending of verification text messages, analytics and hosting and services that help manage user messages when people join or leave chatrooms;
- with reference to retention periods, personal data would be kept for as long as the user has a Clubhouse account, with the exception of audio data, which would be deleted when the conversation room ends, unless a security or confidentiality breach has been reported or detected. In this case, the audio would be sent to a special team for the appropriate investigations on the reported incident and eliminated once the investigation is complete;
- in relation to the recognition and exercise of the rights pursuant to articles from 12 to 22 of the Regulation, user requests, assessed in accordance with the applicable law, would be forwarded to the email address support@alphaexplorationco.com, subject to the implementation of further measures;
- the audio data would not be processed biometrically;
- all data and related transmissions would be encrypted, including audio files relating to incidents which could only be decrypted on Clubhouse servers;
- the accounts of minors would be suspended subject to the implementation of further age verification measures;
- tools for adopting automated decisions would not be applied pursuant to art. 22 of the Regulations not even in the moderation activity with possible blocking of subjects who do not respect the rules of the Clubhouse community.
With a note dated 16 March 2022 (prot. 15589/22) the Guarantor notified the Company of the deed of initiation of the procedure for the adoption of the provisions pursuant to art. 58, par. 2 of the Regulation and notification of alleged violations pursuant to art. 166, co. 5, of the Code.
With this deed, the Company was charged with violating the following provisions, with reference to the treatments implemented by the Clubhouse platform:
a) articles 5, par. 1, lit. a), 6 and 7, of the Regulation, for having carried out treatments for marketing purposes, recording and sharing audio with third parties, profiling and sharing information on accounts, in the absence of an appropriate legal basis that legitimizes the treatments themselves;
b) art. 13 of the Regulation, for having failed to provide, until 4 August 2021, information on the treatment to data subjects who provided their personal data;
c) art. 14 of the Regulation, for having failed to provide information on the treatment to subjects whose telephone numbers are present in the contact list of users who have consented to their sharing with the Clubhouse;
d) articles 5, par. 1, lit. a) and 12, par. 1, of the Regulation, for having provided, after the date referred to in point b), information on the processing in the absence of the requirements of clarity, transparency and comprehensibility set forth therein;
e) articles 5, par. 1, lit. e) and 13 of the Regulation, for having provided unsuitable information regarding the retention times of personal data;
f) articles 13, par. 1, lit. a), of the Regulation, for not having ritually indicated the contact details of the designated representative;
g) art. 27, par 4, of the Regulations for failing to designate a representative with suitable functions and responsibilities;
h) art. 28 of the Regulation, for not having ritually designated the service providers to whom the personal data may be communicated as data processors;
i) articles 5, par. 1, lit. f) and 32 of the Regulation, for having implemented security measures which, taking into account the nature, object, context and purpose of the processing, as well as the risk to the rights and freedoms of natural persons, do not appear adequate to guarantee a level of security appropriate to the risk itself;
j) art. 35 of the Regulation, for having failed to carry out an assessment of the impact of the envisaged treatments on the protection of personal data, taking into account the recurrence of the hypothesis referred to in paragraph 3, lett. a), of the aforementioned art. 35.
The Company has exercised its right of defence, pursuant to art. 166, co. 6, of the Code and of the art. 13 of the Regulation of the Guarantor n. 1/2019, through the presentation of written submissions, transmitted, following the granting of an extension of the envisaged term, with communication of 16 May 2022 (prot. 26635/22), and a hearing, held remotely on 10 June 2022 (report registered under no. 31149/22).
The defensive position of the Company, as set out in the written brief and during the oral hearing, will be represented in detail in the following paragraphs, in particular in the fifth section of this provision relating to the violations ascertained.
3. EXISTENCE OF EURO-UNION JURISDICTION AND COMPETENCE OF THE GUARANTOR
The art. 3 of the Regulation governs the territorial scope of the same, identifying differentiated conditions depending on whether or not the data controller is established in the territory of the European Union.
In the case in question, Alpha Exploration has not identified an establishment in Europe and therefore, in order to conduct an assessment regarding the applicability of the European legislation on the protection of personal data to the processing carried out by Clubhouse, it is necessary to verify the existence of the criteria pursuant to art. 3, par. 2, of the Regulation (so-called targeting). These criteria are identified in the offer of goods or services to interested parties who are located in the Union or in carrying out a monitoring activity of their behavior, to the extent that the latter takes place in the European Union.
Preliminarily it is noted that, for the purposes of applying the targeting criterion, the data being processed must concern data subjects in the Union. In the present case, the fact that Clubhouse processes personal data of subjects located in the European Union and in particular in Italy, although initially denied, is an argument no longer disputed by the Company in the defense brief of May 16, 2022.
In this writing, in fact, it is underlined that, when the App was launched in 2020, "the places where the users were [...] were not a function of any marketing activity promoted by Clubhouse nor of choices made by the same , as they depended on which users invited which other people and where the invited people happened to be. The user base in Europe, and in Italy in particular, would therefore have grown by virtue of the rapid spontaneous diffusion of the App, rather than as a result of targeted actions undertaken by the Company. In this respect, the Company reiterated that Clubhouse did not intend, in the meaning of art. 3, par. 2, of the Regulation, in the initial phase of its diffusion, offer its services to interested parties present on the Italian territory.
However, the Company specified that, starting from spring 2021, having taken note of the de facto situation, i.e. the widespread diffusion of the App globally (90,000 active users per month in Italy in August 2021), it decided to launch an action of progressive adaptation to the Regulation, starting to acquire "the necessary capacity to honor requests for access and deletion of data".
An updated privacy policy was published on 4 August 2021 dedicated to EEA users and containing the obligations required by the Regulation for the data controller (see, on the merits, section 5.2 relating to the violation of transparency obligations).
In summary, as expressed verbatim in the defense brief cited above (see page 5), the Company does not dispute that it is subject to the Regulations as "starting from August 2021, the Clubhouse has made a substantial commitment by doing its best to respect the obligations established by the Regulation as quickly as possible”, regardless of the formal recognition of a legal obligation.
The Guarantor therefore considers the conditions of applicability of art. 3, par. 2, lit. a) of the Regulations given that, as admitted by the Company itself, Clubhouse offers its services to interested parties in the Union and, therefore, the Italian jurisdiction appears to exist.
As far as the competence of the Italian supervisory authority is concerned, the Guarantor observes that the processing carried out by Clubhouse can be easily qualified as cross-border processing of personal data pursuant to art. 4, par. 1, no. 23 of the Regulation as it is capable of affecting interested parties in more than one Member State. As known, for this type of processing, where the owner has identified a single or main establishment in the European Union, the cooperation mechanism described in articles 60 ff. of the Regulation whose direction is entrusted to the c.d. lead supervisory authority which coincides with the supervisory authority of the Member State in which the aforementioned establishment is located. On the contrary, in cases in which the prerequisite for the operation of this mechanism is missing, i.e. the presence in the European territory of an establishment of the data controller, the data controller will have to "interface with the supervisory authorities of each Member State in which it operates through of the designated representative" (see par. 3.3. of the Guidelines on the Lead Supervisory Authority adopted by the Article 29 Working Party on 13 December 2016, revised on 5 April 2017 and endorsed by the Personal Data Protection Committee on May 25, 2018).
In the present case, as mentioned, Clubhouse is managed by a company based in the United States of America which has no establishments in the territory of the European Union and, therefore, on the basis of the provisions of art. 55, par. 1 of the Regulation, "each Supervisory Authority is competent to perform the tasks assigned and to exercise the powers conferred on it pursuant to the (...) regulation in the territory of the respective Member State".
This provision is therefore suitable for establishing the competence of the Italian data protection authority with regard to the assessment, with regard to its territory, of compliance with the Regulation put in place by Clubhouse and the exercise of the powers recognized to it by art. 58 of the Regulation.
4. THE COMPANY AND THE CHARACTERISTICS OF THE SERVICE OFFERED
As reported in the defense brief dated May 16, 2022, originally the Company, formed only by the two founding partners, made the App available to a limited number of users chosen manually by the founders themselves. Only in September 2020 the App was made available for iOS on the Apple Store and the number of users went from around 5,000 in September to around 115,000 (of which 90% US users) in November 2020 From that moment on, within three months, the service had a rapid spread reaching 16 million active users per month.
At this point, the Company's organization began to grow, reaching 80 employees in October 2020, and to structure itself, hiring professional figures for dedicated management of the security and processing of personal data. In particular, the Head of Security Engineering and the General Counsel were hired, and the Trust & Safety, Legal Operations and Policy and Public Affairs.
This organization has allowed the Company to systematically address the issue of security measures and comparison with the various privacy regulations to be observed, given the global diffusion of the service.
From a functional point of view, the peculiarity of the Clubhouse, as mentioned, is linked to the use of the voice and conversations to network; after an initial implementation limited to the iOS operating system and based on invitations, the App was made freely usable and available also in the Android environment. Users can be active, if they choose to open a thematic room or passive, if they simply access someone else's room as listeners. Furthermore, with the privacy policy update of 6 January 2022, users, using new features of the platform, can a) keep and record even part of the conversations on the platform and b) share the same recordings with third parties (Clips & Replays functionality) . The audio files are, as a rule, eliminated at the end of the conversation room, but they can be kept by the Company for the time necessary to resolve a dispute, if a cd. incident is reported or disclosed in conversation.
5. THE ASSESSED VIOLATIONS
5.1. Articles 5, par. 1, lit. a), 6 and 7 of the Regulation
With reference to the first of the objections made by the Office, it must be recalled once again the fact that in the privacy policy published on the Company's website, until 4 August 2021, there was no information provided by the owner pursuant to art. 13 of the Regulation, due to the incorrect assessment by Alpha Exploration Co. regarding the (non) applicability of the European and Italian legislation on the protection of personal data to the treatments carried out through the Clubhouse platform.
Without prejudice to what is represented in paragraph 3 regarding the existence of Euro-Union jurisdiction and the related competence of the Guarantor, it must also be considered that in the case in question no suitable elements have emerged which would allow the Company to benefit from the exemption (moreover not expressly invoked) of the good faith established by art. 3 of the law n. 689/1981, given that, as often stated by the jurisprudence (for all, Court of Cassation, section II Civil, order 12 October 2018 - 28 February 2019, n. 6018), "the responsibility of the offender is not excluded by the mere state of ignorance regarding the existence of the relative presuppositions, but it is necessary that this ignorance is innocent, that is, cannot be overcome by the interested party with the use of ordinary diligence [...]. In order to configure the exemption of good faith, which is relevant as a cause for exclusion of administrative liability, positive elements are needed that are suitable for inducing in the perpetrator of the violation the conviction of the lawfulness of his conduct and it also appears that the offender has done everything possible to comply to the precept of the law, so that no reproach can be made against him".
Indeed, the Company could have correctly configured the structure of the obligations and fulfilments related to the application of the provisions on the protection of personal data in Europe, as moreover admitted by Alpha Exploration during the hearing, if it had made use of legal and consultants more integrated into the processes that were being developed and if it had monitored more punctually the change in the legal scenario that the sudden growth in membership of the Clubhouse platform had brought about.
With reference, however, to the new privacy policy present in the Clubhouse platform, the deed of initiation of the proceeding highlighted that the treatments for the purpose of "direct marketing" cannot be lawfully carried out on the basis of a mechanism of expression of implicit consent or of "opt-out", a mechanism present in the current regulatory framework only with reference to well-identified treatments and specific purposes.
Similarly, the identification of the legal basis of legitimate interest for the processing of audio files recorded and shared by users with other parties was considered inappropriate. Still on the subject of audio recordings, it has been observed that there is no clear identification of the legal basis that legitimizes the processing of recording and sharing files using the functions of the Clips & Replays.
The act of initiation of the procedure also revealed the inadequacy of identifying the legal basis of legitimate interest with reference to the use of account data to allow the sharing of the profile of the interested party and to suggest this profile to other users, as well as the profiling of the interested party (improve and personalize the experience, select interests, recommend rooms and users to follow and clubs of interest) with reference to interests, use of the platform and connections.
With reference to the aforementioned disputes in relation to "direct marketing" processing, the party represented, in the defense brief, that Clubhouse does not publish advertisements on the platform and does not carry out direct marketing activities unless after requesting consent based on the mechanism of the “opt-in”. As for the push notifications that Clubhouse sends to users in the European Union, they are sent in order to share information about the service and inform users of what is happening on the App they have already signed up for (e.g., remind users that a conversation room is about to start).
The party underlined the indispensable nature of this service since “the purpose of the Clubhouse is to connect people through conversations in small and large virtual rooms. By notifying a user, for example, that another user has joined Clubhouse, has opened a virtual room or is available for a conversation, Clubhouse is sharing factual information that helps users connect with each other more effectively. Clubhouse isn't advertising any products or services, it's simply helping users get the most out of the service they've already signed up for by letting users know what's going on."
However, Alpha Exploration has realized that what is represented in the privacy policy, using the term "direct marketing" improperly, could cause confusion and has therefore declared that it has taken steps to modify the text in order to avoid references to this activity.
As for the processing of audio files, the Company has highlighted how these files can be recorded and shared for two distinct purposes, namely to investigate violations of community guidelines and to allow users to save or share audio recordings when using the platform through the Clips & Replays. He then reiterated the need for such treatments to provide the services provided for in the Clubhouse contractual conditions and this circumstance would justify the use of the contractual legal basis for this treatment purpose. In any case, the Company would be committed to updating the text of the supplementary information for European users in order to improve its transparency and make the part relating to the aforementioned treatments more easily understandable.
Lastly, with reference to the processing aimed at profiling user data and sharing these profiles, the Company reaffirmed the Clubhouse approach, whose fundamental purpose is to create a community by allowing users to share virtual rooms in which they can join conversations with other people. The company says the profile "identifies you and lets other users know who you're connecting with or inviting to a room." The profiles, according to Alpha Exploration, would be created on the basis of information that users freely decide to share and this would help other users to “find people who may have a common interest or connection. These profiles and the purposes they serve are the foundation of the community you choose to be a part of when you join Clubhouse." Therefore, users can choose what they want to share and publish in their profile: "when a user selects a topic, the user can decide to make that topic visible to others in their user profile or to hide it from other users and keep it private . Users also have the option to select the "protected profile" setting. When this setting is selected, the user's full profile is only visible to people whom the user has approved as followers. When a profile is protected, only approved followers can see the rooms, clubs and replays in the user's profile”.
The Company still maintains that Clubhouse is a personalized service by design always in order to help users connect and create a community. To personalize its service in this way, it is essential for Clubhouse “to understand user interactions on the platform. In this way, Clubhouse is able to obtain enough information to offer a service where users can easily develop a community”. The profiling carried out by Clubhouse does not have advertising or marketing purposes but constitutes an "intrinsic and expected element of the service and we believe that it is therefore necessary for the execution of the contract with the user, i.e. the execution of the Terms of Service".
Alpha Exploration concludes by representing that “when a user decides to join Clubhouse, it is reasonable that he expects to receive content that reflects his interests. Also, the user is more likely to like the platform if they make an active selection of the type of content they want to see. With this premise, there are valid reasons to state that Clubhouse has a legitimate interest in developing this type of personalized experience for its users and that this interest is not excluded from the interests of the user, since the related processing of personal data is carried out in a transparent way and according to the user's selections in order to meet the user's expectations of receiving a personalized service”.
To evaluate Alpha Exploration's defensive arguments it is necessary to analyze the new disclosure and terms of service documents that the Company published on its website on May 16, 2022.
As regards the processing of audio files, specifically those subject to disputes on the suitability of the legal basis, i.e. the files created by the user by activating the Clips & Replays, it must be noted that nowhere in the document on the terms of service is the existence of this function explicitly indicated, so that attributing the processing of the contents of the files to actions necessary for the execution of the contract does not appear to comply with what the Company itself declares in the conditions of service.
Again with reference to audio files, the terms of service document, in point 3.C, reports that Clubhouse records conversations in all rooms to "monitor" any violations, in order to analyze and counter any abuses. If a user reports (or the platform's automated systems detect) potential violations, the recording is kept for a time - not predefined - but necessary to investigate the potential violation. Otherwise it is deleted, usually within 10 minutes. The Company points out, in the aforementioned document, that the recorded entries, as well as the other "user content" ("user content"), understood as everything that the user says, publishes or makes available, can be used in any way "consistent" with the privacy policy.
As regards the treatments attributable to the purpose of profiling, as indicated by the Company in the defense brief and hearing (in which it was reiterated that "in a social platform open to interaction between multiple users, it is necessary for the execution of the contract with the user, proceed with an analysis of the interaction of users with the platform to arrive at an intrinsic and organic personalization of the services and contents, suitable for satisfying the needs of the user base to know what happens on the platform, i.e. which conversations are open, which conversations to participate in"), the terms of service document indicates, in point 2, that the Clubhouse platform uses information about favorite content and the activities carried out in the rooms to recommend other users, clubs or content.
Furthermore, the contents made available by the user may be subject to access, examination, evaluation and cancellation by the Company, at any time and for any reason, also to provide and develop the platform services.
As for the Clubhouse privacy policy, in the first place it must be noted that, despite what was represented before the Authority during the hearing and, even earlier, with the defense brief, the reference to the processing of personal data carried out remains for direct marketing purposes, for which the "opt-out" mechanism already subject to dispute would operate. While taking due account of what has been declared by the Company regarding the fact that it does not carry out marketing activities, it must be noted that the disclosure is the document which discloses the choices of the owner and which constitutes the legal premise for the collection of data and consequent treatments. The information regarding direct marketing, therefore, at the state of the records, constitutes the declaration regarding the purposes, methods and legal basis of the aforementioned processing, with regard to which the observations regarding its illegality already expressed in the dispute must be confirmed.
With reference to the treatments relating to the recordings contained in the audio files, made through the use of the Clips & Replays, it should be noted that in the integration of the privacy policy document intended for users of the European Union there is an extensive list of "justifications for data processing" which exposes the orientation of Alpha Exploration regarding the legal basis of the various treatments.
This list includes the reference to the treatment carried out relating to the saving by users of the recordings of the conversations, treatment which is traced back, as specified during the hearing, to the legal basis pursuant to art. 6, par. 1, lit. b), of the Regulations ("processing is necessary for the execution of a contract of which the interested party is a part or for the execution of pre-contractual measures adopted at the request of the same"). This legal basis is indiscriminately attributed to all users of the platform, both to the administrator of the public room in which the conversation takes place, and to the other subjects who participate in the conversation, even though the latter have a role and, above all, different faculties with respect to to administrators. In the privacy policy, point B, with regard to Replays, specifies that: “We record conversations in public rooms and make them available to other users where the room creator instructs us to do so by enabling the “Replay” feature. When Replays are enabled, the recording will be stored by the Clubhouse and may be made available to other users on the Clubhouse at the room creator's instruction. Replays may also be available outside of Clubhouse” [editing bold]; with reference to the Clips, however, we read: “Users may also record portions of conversations when a room creator enables the “Clips” feature. When Clips are enabled, anyone in the room is able to generate a video file on the user's local iOS or Android device that contains the last 30 seconds of audio material from the room, and a graphic depicting the room title and speakers. This video file is not transmitted to Clubhouse or stored by Clubhouse. Rather, it is saved on the user's local device, where it can be posted to other online platforms or sent to other people through SMS, other apps or other communication tools". [editing bold]. From the above, it can therefore be deduced that in the case of Replays, the Company keeps the recordings, notwithstanding the rule of immediate elimination, keeping them available to the administrator of the room, who can decide on any subsequent use, including dissemination. Without going into the merits of the exact allocation of co-responsibilities between the platform and the administrators (to which the Regulation must apply where the so-called domestic exception referred to in Article 2, paragraph 2, letter c) is not applicable) , it is indisputable that the Company treats the data of users who participate in a recorded conversation to the extent that it keeps their data to make them available to the administrators. Clubhouse will therefore be required in carrying out this treatment, to respect the principles of correctness and transparency, pursuant to art. 5, par. 1, lit. a), of the Regulation. In particular, the Company must accurately indicate, in the terms of service, the contractual conditions applicable to users, distinguishing the prerogatives of the administrators and the safeguards established in favor of the participating users. In this context, the dictate of recital 78 of the Regulation appears to be paramount, which recalls the duty of manufacturers to design and manufacture their respective products taking into account the regulation on the protection of personal data, including the principle of transparency.
The defensive briefs produced by Alpha Exploration show the information boxes prepared by the platform in order to inform and clarify the activation of the Replays recording function. On closer inspection, however, the functionality appears, on the one hand, to be little highlighted, and on the other, present only within the room while, under the profile of full awareness of the incoming users, it would have been more appropriate to highlight the pop-up in a moment prior to accessing the room itself. This solution would allow each user to decide, before entering a room, whether to participate or not, also in consideration of the fact that the conversation in progress is being recorded. Otherwise, you would be forced to enter a room to find out if the Replays function is active or not.
With reference, however, to the recordings of conversations made by the Company for the purpose of investigating possible violations of the guidelines of the Clubhouse community. On this point, Alpha Exploration confirmed that the legal basis of the processing lies in the legitimate interest of the owner pursuant to art. 6, par. 1, lit. f), of the Regulation ("the processing is necessary for the pursuit of the legitimate interest of the data controller or of third parties, provided that the interests or fundamental rights and freedoms of the data subject who require the protection of personal data do not prevail") .
In this regard, reference must be made to what is indicated in recital no. 47 of the same Regulation, where it is highlighted that "the interests and fundamental rights of the interested party could in particular prevail over the interests of the data controller if the personal data are processed in circumstances in which the interested parties cannot reasonably expect further processing of personal data ” and again that “it is equally legitimate interest of the data controller concerned to process personal data strictly necessary for fraud prevention purposes”.
On the basis of the aforementioned provision and the aforementioned recital and the interpretation of the Court of Justice of the European Union (cf., judgment C 13/16 - Rīgas satiksmea), it constitutes a necessary parameter for assessing the existence of the legitimate interest of the data controller to process data of the interested party regardless of his prior expression of consent, the fact that the interests, rights and fundamental freedoms of the interested party do not prevail over this interest and, not a secondary element, that the data processed are "strictly necessary" to the purpose pursued, in particular if the same is attributable to the prevention of unlawful conduct.
In the case in question, the conditions referred to above do not appear to exist, firstly because the treatment, based on what is indicated in the privacy policy, would not be activated only on notification by users of concrete behaviors that violate the rules of the community, carried out by other subjects, but also (and above all) in advance on each room and on each conversation that would be recorded and monitored by automated systems ("We record conversations in all rooms to monitor for violations of our Community Guidelines or our Terms of Service, or for otherwise illegal or illicit activity. If a user or our automated systems flag potential violations, we will retain the recording as long as reasonably necessary to investigate the potential violation").
The disproportion between such widespread and pervasive monitoring is evident, in which, moreover, the reporting of any unlawful behavior is left, in the first instance, to automated decision-making processes (monitoring which also affects the rights of freedom of assembly, association and expression of thought whose inviolability is recognized by the Italian Constitution on the basis of the provisions of articles 17, 18 and 21), and the purpose of preventing and combating any behavior that does not comply with the guidelines of the community, almost as if merely being part of of an association (of a community, as in the present case) allows it to "listen" to all the conversations of each member, to confirm at all times their compliance with the statutory provisions.
If to this we add that, for the above treatments, carried out through automated processes, neither the interested parties nor, much less, the Authority have been provided with information regarding the criteria and the logic used, so that it is not known which and how many conversations are kept by the owner for further checks, it must be concluded that these treatments, whose legitimacy can also be objected at the root, certainly cannot be supported by a legal basis that disregards free, unequivocal, specific and informed consent of the interested party.
From this point of view, therefore, what was contested against the Company in the deed of initiation of the administrative procedure must be confirmed.
Finally, as regards the treatments carried out through profiling, it must first of all be noted that, contrary to what was previously indicated, Alpha Exploration represented in the defense brief and in the hearing that the same would be supported by the legal basis pursuant to art. 6, par. 1, lit. b), of the Regulation (execution of a contract) and not from that relating to the pursuit of a legitimate interest of the owner.
However, if in the document on the terms of service (which constitutes the contractual basis of the user) there is a constant reference to the "user content" and to the use that the Company can make of such contents (which it is reiterated, are intended in a extremely broad meaning, i.e. everything that the user says, publishes or makes available), in the table  of the legal bases reported in the European integration of the privacy policy, there is no trace of this definition, so that it becomes extremely complex, even for a user aware of the platform, be able to create some connection between what is represented in the terms of service and what is declared in the information.
From a combined, and certainly not easy, reading of the two documents, it can be seen that the data that may be processed to allow the personalization of products, the creation of a profile that allows other users to invite the interested party to their rooms and the sending of suggestions regarding users, clubs or other contents deemed relevant for the interested party, are those relating to the selected interests, to the activity carried out through the platform, to the so-called. "user content", to account information, to "biographical" information (intended as additional personal information, profile photos, notes on one's life, all information that Alpha Exploration reserves the right to "request", without however representing the consequences of a possible non-response by the user).
In the case in question, it cannot fail to refer to what is indicated in the "Guidelines 2/2019 on the processing of personal data pursuant to article 6, paragraph 1, letter b), of the general regulation on data protection in the context of the provision of online services to data subjects", adopted by the European Data Protection Board on 16 October 2019, which states that "online services often collect detailed information on how users interact with their service. In most cases, the collection of data relating to organizational parameters concerning a service or details relating to user involvement cannot be considered necessary for the provision of the service, as the service can be provided in the absence of the processing of such data personal. However, a service provider may base such processing on alternative legal bases such as legitimate interest or consent. The European Data Protection Board does not consider that Article 6(1)(b) generally constitutes an appropriate legal basis for processing carried out for the purpose of improving a service or developing new functions in the context of an existing service. In most cases, a user enters into a contract to use an existing service. Although the possibility of making improvements and changes to a service is often systematically included in the contractual terms, this treatment cannot be considered objectively necessary, in general, for the execution of the contract stipulated with the user".
The above completes and specifies the observations contained in the "Guidelines on the automated decision-making process relating to individuals and on profiling for the purposes of regulation 2016/679", adopted on 3 October 2017 and amended on 6 February 2018 by the working group ex art. 29 for data protection and in the Opinion given by the same Group on 9 April 2014 on the subject of legal bases of processing, which reiterate that the provision regarding the contractual legal basis "must be strictly interpreted and does not contemplate situations in which the The processing is not actually necessary for the performance of a contract, but unilaterally imposed on the data subject by the controller. Furthermore, the fact that some data processing is covered by a contract does not automatically mean that such processing is necessary for its execution".
The distinction must be sought in the need for the profiling activity for the purpose of executing the contract, a need which in the case in question is not recognized given that each user can join the Clubhouse community even without displaying additional information with respect to that necessary for the creation of the account and without allowing Alpha Exploration to carry out independent processing regarding the methods of its interactions with the platform. Such autonomous processing, moreover, could lead to the creation of a different profile from the one perceived by the interested party (since the methods and logic of profiling are not explicit in the privacy policy) so that participation in the life of the community could be vitiated or unduly conditioned/influenced.
The table on the legal bases reported in the European integration to the privacy policy also states that the information on the account, the additional biographical information requested by the platform and information on the use of the platform and on the activities can be used in order to develop and improve the Clubhouse products. The legal basis of the aforementioned processing would reside in the legitimate interest of the owner. In this regard it must be noted that, in the absence of further specifications, which would also be necessary, if the processing is carried out through profiling operations, the same appears entirely superimposable to that aimed at improving the participation of the interested party in the community and, in this case , the identification of a different legal basis which is independent of the consent of the interested party appears to constitute a form of circumvention of the provisions and guidelines referred to above. If the treatment has different connotations and does not provide for the performance of profiling operations, the same should be explained in detail in order to allow the interested party and the Authority to evaluate the interests in the field and the possible prevalence of the same with respect to the rights , the fundamental freedoms and interests of users.
This also taking into account what is indicated in the "Opinion 6/2014 on the concept of legitimate interest of the [owner] of the treatment pursuant to article 7 of directive 95/46/EC" (currently article 6, par, 1, lett. f), of the Regulation), made by the Working Group pursuant to art. 29 for data protection, in which it is represented that "the fact that the [controller] of the treatment has such a legitimate interest in the processing of certain data does not mean that he can necessarily invoke Article 7, letter f), as a legal basis for the treatment. The legitimacy of the [owner]'s interest in data processing is only a starting point, one of the elements that need to be analyzed under Article 7(f). The possibility of invoking article 7, letter f), will depend on the outcome of the comparative test”, as referred to above (so-called triple test, in the interpretation of the CJEU mentioned above).
In the light of the above observations, the violations of articles articles 5, par. 1, lit. a), 6 and 7 of the Regulation formulated in the act initiating the procedure.
5.2. Articles 5, par. 1, lett., a) and e), 12, par. 1, 13 and 14 of the Regulation
With the deed of initiation of the proceeding dated 7 March 2022, Alpha Exploration was charged with violating the provisions on the subject of information, pursuant to articles 5, par. 1, 12, 13 and 14 of the Regulation,
- for having failed to provide, until 4 August 2021, information on the treatment to data subjects who provided their personal data,
- for having failed to provide information on the treatment to subjects whose telephone numbers are present in the contact list of users who have consented to their sharing with Clubhouse,
- for having provided, after 4 August 2021, information on the processing in the absence of the requirements of clarity, transparency and comprehensibility set forth therein
- for providing unsuitable information on user data retention times.
As for the dispute regarding the failure to provide information up to 4 August 2021, reference must be made to what was found in point 5.1, namely that this omission was caused by an incorrect assessment by the data controller regarding the applicable legislation in relation to the interested parties who are located in the Union, but that this circumstance does not allow the exemption pursuant to art. 3 of the law n. 689/1981 on the subject of good faith.
As regards the omitted information relating to the processing of personal data consisting of the telephone numbers of non-users, in the notice of dispute it was noted that "Clubhouse collects data from the so-called "contacts" present in the address book of its users' devices, stored in the form of hash values derived from telephone numbers. This collection allows users to connect with people they know, and invite friends to join them on Clubhouse. The platform also collects the names of friends that the user decides to invite to join the Clubhouse. This collection of data, while providing for consent from the user, is carried out without providing third parties (the user's "friends" in his contact list) with any type of information regarding the treatments that will be carried out on their data (telephone number and name)".
In the defense brief dated May 16, 2022, Alpha Exploration reiterated that the telephone number data of non-users, acquired by synchronizing their contacts that the interested party can operate on the Clubhouse platform, are subjected to a pseudonymisation process and are therefore not available of society. He then highlighted that he had included, since 6 January 2022, a specific mention in the integration to the privacy policy in order to give adequate information to non-users, information which was then integrated into the current version of the information, in which it is acknowledged that " the only information Clubhouse keeps is a hash value derived from the phone number. Clubhouse does not collect names or any other information associated with your contacts, and we do not share or make available any hash values we collect to third parties."
In this regard, in acknowledging Alpha Exploration's effort to make the information provided to data subjects more clear and in reiterating that the retention of pseudonymized data also constitutes processing, it is noted that the information included in the privacy policy can rarely be learned by subjects who are not are users of the platform and therefore it seems necessary, in order not to make the fulfillment of the information to non-users the same way as a mere formalism, for the Company to take a further step to provide interested parties with information compliant with the regulatory provisions. In this sense it seems useful to highlight that the art. 14, par. 3, letter. b), of the Regulation allows for the provision of information "in the event that the personal data are intended for communication with the interested party, at the latest at the time of the first communication to the interested party" and that, therefore, in the event that Clubhouse were to send an invitation to non-users to join the community, a link could be usefully inserted in the text of the invitation which refers to a specific information provided in the interest of non-users, to be inserted separately on the website, as well as an indication on the origin of the message, in order to allow the recipient to independently operate any pertinent investigation.
As for the dispute regarding the violation pursuant to art. 12 of the Regulation, in the act of initiation of the procedure it had been observed that "even in the updated version of the privacy policy some relevant aspects of the processing of personal data appear to be incorrectly configured and it is also not clear the value of the general part of the aforementioned document with respect to the specific information provided for European users, so that the information does not assume those connotations of clarity, transparency and comprehensibility provided for by art. 12, par. 1 of the Regulation".
In this regard, the party represented that it had recently updated both documents (privacy policy and integration for users located in the Union) to improve the understanding of the two parties and that the privacy policy specifically indicates that it applies globally, while the integration has the function of supplementary information to be read in coordination with the first: "considered as a whole, the Privacy Policy and the Supplementary Information provide users with all the prescribed information".
Also in this case we must acknowledge the effort made by the Company to make the information more understandable, however it must be noted that the critical issues that emerged during the dispute do not seem to have been overcome, first of all for what has already emerged in point 5.1, in topic of legitimate interest (where the elements referred to in Article 13, paragraph 1, letter d), of the Regulation are not indicated in detail), as well as for the scarce information provided with reference to automated decision-making procedures and profiling . Furthermore, as highlighted with reference to the Clips & Replays, the information provided in the privacy policy relating to the contractual legal basis does not correspond to what is indicated in the document relating to the terms of service. On the aspects referred to here, it is not believed that specific prescriptions should be adopted since, at the state of the documents, the aforesaid treatments are illegitimate at root, with reference to the aspects relating to the compatibility of the legal basis with the reference regulatory framework.
With reference to the dispute relating to the failure to indicate the data retention periods, the Company, during the preliminary investigation, represented that the personal data are kept for as long as the user has a Clubhouse account, or for a period longer in the event of a complaint or if the Company believes there is a prospect of litigation.
With reference to audio files, in particular, information on retention times was found to be lacking in all hypotheses that do not fall within the verifications of the reported violations.
The Company, in the disclosure, has generally stated that to determine the appropriate retention period for personal data, the quantity, nature and sensitivity of the information, the potential risk of damage from unauthorized use are taken into consideration or from the disclosure of the data itself, the purposes of the processing and the applicable legal requirements.
In the defense brief Alpha Exploration pointed out that the Regulation does not impose an analytical and precise indication of the data retention periods, admitting that it may be impossible to provide such information, but requires that the disclosure should at least contain an exposition of the criteria used to determine the aforementioned periods.
Alpha Exploration states that “in the present case, the user is informed that Clubhouse retains personal data for the time in which the user maintains a Clubhouse account. It follows that the user has control over the retention period and it is not possible to know in advance when a user could close his account or ask Clubhouse to delete his personal data”. The Company represented that it had however updated the text of the data retention section of the privacy policy and of the supplementary information "to more accurately reflect the data retention periods for the various purposes described above in order to increase transparency of our data retention practices and satisfy the observations of this Authority".
In this regard, it should be noted that from the information provided by Alpha Exploration in the latest version of the privacy policy and the supplementary information for users who are in the Union, it is still not possible to deduce which data are subject to the discipline general, which provides for conservation until the eventual closure of the account, and which data are, instead, subject to a differentiated conservation regime. In particular, it has not been clarified which data may be subject to prolonged retention in the event of litigation (even potential) and whether for the eventual cancellation of such data reference is made to the statute of limitations (and of which country) or to other circumstances. With reference to the audio files, created at the request of the user by activating the Clips & Replays, it appears necessary to clarify to users that such files are, as a rule, kept until the eventual closure of the account by the user who generated them unless he requests their cancellation.
Also in this case, therefore, the objections formulated in the act of initiation of the procedure are confirmed, having to be considered violated the articles 5, par. 1, lett., a) and e), 12, par. 1, 13 and 14 of the Regulation.
5.3. Article 27 of the Regulation
The art. 13, par. 1, lit. a) of the Regulation requires the holder to indicate, among other things, the contact details of the representative, while art. 27, par. 4 of the Regulation provides that the role of the latter is to be an interlocutor, alongside or in place of the owner.
With the deed of dispute, the Guarantor proposed the violation of art. 13, par. 1, lit. a), in conjunction with art. 27 of the Regulation, in the part in which the information does not provide the contact details of the representative.
Furthermore, an alleged violation of art. 27, par. 4 of the Regulation in relation to the functions and role actually performed by the designated representative.
In the defense brief dated May 16, 2022, the Company stated that it had designated the company VeraSafe Ireland Ltd (hereinafter "VeraSafe") as representative and that it had regulated the related relations on the basis of a written agreement. In particular, the Company has specified that it has granted VeraSafe the power to receive, communicate and, following consultation with Alpha Exploration, respond to communications received from a supervisory authority or from an interested party.
The Company also represented:
- to have fulfilled its information obligation pursuant to art. 13, par. 1, lit. a) inserting in the privacy policy the link that leads to a form that represents the point of contact with VeraSafe;
- to have made the supplementary information clearer by specifying that VeraSafe can be contacted, in addition to Alpha Exploration, via an electronic form or a specific email address;
- that information regarding the management of requests is provided on the VeraSafe web page.
With regard to the claims made by the Company, the following is noted:
- among the contacts indicated in the supplementary information produced (see attachment 2 of the memorandum of May 16, 2022), section Notice to European and Brazilian Data Subjects, only the physical address of VeraSafe is indicated, without references to the latter's email ;
- the wording of the information provided by the Company in the Controller and Representative subsection of the privacy policy appears ambiguous, in the part which reads “Please note any communications directed to these representatives should also be directed to Clubhouse as the data controller” [emphasis added]. In fact, the text seems to suggest to the interested party the need to send the communication not only to the representative but also to the data controller, as if this constituted an additional and necessary burden;
- again in the Notice to European and Brazilian Data Subjects section, a link is available which refers to an online form on the page https://verasafe.com/public-resources/contact-data-protection-representative which VeraSafe generally dedicates to contacts with interested parties who intend to write to one of the various data controllers they represent; by accessing the aforementioned form, you land on the VeraSafe web page which provides some information (A quick summary of how your inquiry will be handled) on the functions and role of the representative. This information appears misaligned with respect to the regulatory provisions, given that VeraSafe defines itself as a mediator (facilitator), i.e. with a more limited profile than the provision of art. 27, par. 4 of the Regulation which, on the other hand, qualifies the representative as a real interlocutor who acts in the name and on behalf of the owner.
In light of the above, it is believed that the current formulation of the privacy policy does not comply with the provisions of art. 13, par. 1, lit. a) of the Regulation as the e-mail address of the representative is not expressly indicated in the contact details, forcing the interested party to consult a different web page - subject, among other things, to a different privacy policy - and fill in an electronic form prepared by the representative not dedicated exclusively to the activity performed in favor of the Clubhouse.
Furthermore, the violation of art. 27, par. 4 of the Regulation as the role of VeraSafe appears, at present, not correctly outlined, given that the figure of the representative introduced by the Regulation cannot be understood as a mediator or facilitator (i.e. a subject who puts two or more parties in relation to facilitate the achievement of an objective, without being bound to any of them by collaboration, employment or representation relationships) but, as specified in recital 80 of the Regulation, but must be a person who acts on behalf of the controller with regard to the obligations that to these derive from the Regulation. The ambiguity of VeraSafe's role is also confirmed by the lack of clarity of the privacy policy to the extent that it provides that the interested parties must send each communication jointly to both the representative and the owner, thus totally emptying the meaning of the designation of a representative in the European Union.
5.4. Article 28 of the Regulation
With regard to the recipients or categories of recipients of personal data, in the memorandum dated May 16, 2022 Alpha Exploration reported that users' personal data may be disclosed to service providers, to be identified as data controllers.
This circumstance appears confirmed by what is indicated in the privacy policy, which states that user data can be shared with companies and other subjects that provide services on behalf of Alpha Exploration or collaborate in managing the App (in hosting, analysis , customer support, email and SMS delivery).
The art. 28 of the Regulation governs the figure of the data controller and the relationship between the latter and the owner. In particular, the third paragraph specifies that the treatments carried out by a manager are governed by a contract or other legal act pursuant to Union or Member State law, which binds the manager to the owner and which stipulates the disciplined matter and the duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of interested parties, the obligations and rights of the data controller.
Following the notice of dispute, the Company communicated (see attachment 4 to the statement of 16 May 2022) the list of subjects who operate as data processors, clarifying that they act on the basis of the instructions given by the Company.
Based on the information provided, it is believed that there are no grounds for considering the violation of art. 28 of the Regulation, but it is considered necessary, in order to make the information more transparent and complete, for the owner to insert a link that refers to the product list so that the same, duly updated, can be freely consulted by the interested parties.
5.5. Articles 5, par. 1, lit. f) and 32 of the Regulation
Alpha Exploration stated, in the note dated March 8, 2021 in reply to the request for information from the Office, that the audio data collected within the Clubhouse are not processed biometrically and that no automated decision tools are applied pursuant to art. . 22 of the Regulations, not even with reference to the moderation activity and possible blocking of users who do not respect the rules of the Clubhouse community.
On the other hand, at first, the Company provided completely generic indications regarding the security measures adopted to protect the data. With the defense brief of 16 May 2022, on the other hand, the Company punctually illustrated the main security measures adopted, both for the protection of audio files and at the level of infrastructure and security of the systems adopted.
In particular, Alpha Exploration has reported, in detail, which technical-IT measures it has adopted for static encryption (for the so-called replies and for recordings kept for trust and security purposes) and in transmission of the collected audio data, as well as for the encryption of users' personal data, including private direct messages.
With regard to the security of the operating system, the Company specified, in the aforementioned brief and during the hearing of 10 June 2022, that the first Clubhouse engineers came from a FinTech company "where they were thoroughly trained in secure coding practices and in the development of secure applications and systems”.
The security measures implemented by Alpha Exploration include access control (registered) based on roles and various levels of privileges, multi-factor authentications, encryption and secure coding techniques, monitoring and alerting tools, risk assessment procedures , testing, incident response systems and staff training on an annual basis. These measures are periodically reviewed and updated. With specific reference to the App, since its launch the Clubhouse engineers have designed and created the environment and the operating system "using a single programming language executed using a single API [...] in order to reduce the introduction of vulnerabilities , enable faster development of patches or updates to the App and facilitate an easier process for maintaining a current software inventory”.
In addition, the defense brief of May 16, 2022 detailed the measures taken to monitor network activity and the integrity of user accounts, including a penetration test, a bug bounty program and a Slack channel.
Lastly, it is noted that during the hearing on 10 June 2020, the Company represented that the three lines of action that are currently priorities are: 1) combating spam abuse; 2) growth of the IT security team; 3) respect by design of the security of each new feature of the App; the Company has also reiterated that it adopts the highest industry standards in relation to the number of employees and the area in which it operates.
From the analysis of the shared information, and carried out an internal technical comparison, the Guarantor believes that the measures adopted are compliant with the provisions of articles 5, par. 1, lit. f), and 32 of the Regulation.
5.6. Article 35 of the Regulation
The Authority dedicated a paragraph of its notification to the need for the Company to carry out an impact assessment. In fact, the art. 35 of the Regulation provides that when a processing of personal data presents a high risk for the rights and freedoms of individuals, the owner carries out, before proceeding with the processing, an assessment of the impact of the processing envisaged on the protection of personal data.
With provision no. 467 of 11 October 2018, the Guarantor has published the list of types of processing subject to the requirement of an impact assessment on data protection pursuant to art. 35, par. 4, of the Regulation (web doc. n. 9058979). This list includes treatments that involve the profiling of data subjects as well as the performance of predictive activities also carried out online or through applications, relating to "aspects concerning professional performance, economic situation, health, preferences or the personal interests, reliability or behavior, location or movements of the data subject”.
The activities carried out by the Company peacefully fall within the types of treatment that require an impact assessment, given that they take the form of a profiling activity for the users of the service relating to their preferences. It should be added that, among the data processed, there may also be those of minors whose processing would be non-occasional.
In its defense brief, the Company argued in relation to the failure to comply with art. 35 of the Regulation, generically recalling aspects of profiling activities which would exclude any form of intrusive processing, only to then confirm that an impact assessment is being worked on "which evaluates the risk of the organic personalization of the Clubhouse".
This last declaration, although appreciated by the Guarantor, does not diminish the seriousness of the treatment carried out in the absence of an impact assessment, given that the referenced standard expressly requires that the obligation be fulfilled before proceeding with the treatment, and precisely because of the possible high risks for the rights and freedoms of natural persons.
On the basis of the information provided, the violation of art. 35 of the Regulation and it is deemed necessary to quickly conclude the evaluation document in question.
6. CORRECTIVE MEASURES
On the basis of the above considerations, ascertain the violations alleged against the Company with reference to points a) (with the exclusion of the legal basis referring to the processing connected to the Clips & Replays functions), b), c), d), e), f), g) and j) of the act of initiation of the procedure n. 15589/22 of 16 March 2022, it is necessary to prescribe to Alpha Exploration, pursuant to art. 58, par. 2, lit. d), of the Regulation in order to conform the treatments to the provisions of the Regulation itself, of:
- integrate the terms of service by inserting the description of the Clips & Replays, with specific reference to the prerogatives of the administrators and the safeguards established in favor of the users who participate in the rooms;
- integrate the information with reference to the legal bases, specifying in greater detail which legal basis applies to each specific processing purpose;
- introduce a function that allows you to learn about the possible recording of a chat before entering the relevant room;
- provide a mechanism whereby, in the event that the Clubhouse has to send an invitation to join the community, addressed to subjects who are not yet users whose data has been acquired from the users' telephone directories, a link is inserted in the text of the invitation which refers to a specific information provided in the interest of non-users, to be included separately on the website, as well as an indication of the origin of the message, in order to allow the recipient to independently operate any relevant further information;
- integrate the information, with reference to the data retention times, specifying which data are subject to the general regulation, which provides for retention until the moment of possible closure of the account, and which data, on the other hand, are subject to a differentiated conservation regime;
- supplement the information by indicating the contact e-mail address of the designated representative pursuant to art. 27 of the Regulation;
- supplement the information by inserting a link that refers to the list of data processors appointed pursuant to art. 28 of the Regulation, keeping this list duly updated;
- specify, in the act of designation of the representative pursuant to art. 27 of the Regulation, functions and limits of the representative, pursuant to paragraph 4 of the same article and the related recital 80;
- carry out an impact assessment on the processing of personal data carried out through the Clubhouse platform, in the forms provided for by art. 35 of the Regulation.
It is also necessary:
- impose on the Company, pursuant to art. 58, par. 2, lit. f), of the Regulation, the prohibition of any further processing carried out for the purposes of direct marketing, profiling and sharing of account information, due to the unsuitability of the legal basis pursuant to art. 6, par. 1, lit. f), of the Regulation;
- adopt an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of the law n. 689/1981, for the application against Alpha Exploration of the pecuniary administrative sanction provided for by art. 83, para. 3 and 5, of the Regulation.
7. INJUNCTION ORDER FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTIONS AND ADDITIONAL SANCTIONS
The violations indicated above require the adoption of an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of the law n. 689/1981, for the application against Alpha Exploration of the pecuniary administrative sanction provided for by art. 83, para. 3 and 5 of the Regulation (payment of a sum up to 20,000,000 euros or, for companies, up to 4% of the annual worldwide turnover of the previous year, if higher).
To determine the maximum statutory fine, having taken note of the data on the economic capacity of the Company, as provided by the same, the fixed amount established by the aforementioned regulations, amounting to Euro 20,000,000, must be taken into consideration.
For the concrete quantification of the sanction, it is necessary to take into account the elements indicated in art. 83, par. 2, of the Regulation.
In the present case, the following are relevant:
1) the seriousness of the violations (article 83, paragraph 2, letter a), of the Regulation) due to the specific nature of Alpha Exploration's business sector which, operating as a global social network, has the possibility of affecting, with its treatments, in relevant portions of the private life of natural persons, in their rights and freedoms. From this point of view, the initial choice of Alpha Exploration not to refer to the legislation dictated by the Regulation and the subsequent approach which, while taking into account the regulatory framework in force in Europe, have developed a system of treatments whose legal bases are in no case related to the unequivocal, free, specific and informed consent of the interested party;
2) as an aggravating factor, the duration of the violations (Article 83, paragraph 2, letter a), of the Regulation), due to the permanent and still existing nature of many of the disputed conducts and the observation that during the period taken into consideration, despite the interlocution with the Authority, many of the critical issues do not appear to have been resolved;
3) as an aggravating factor, the very high number of subjects involved (Article 83, paragraph 2, letter a), of the Regulations) taking into account that the base of Clubhouse users, according to what was declared by the Company itself, amounted, in March 2021, to 16 million subjects to which the so-called must be added. "non-users" whose data, in particular the telephone number, are subject to processing by Alpha Exploration;
4) as an aggravating factor the significantly negligent nature of the conduct (article 83, paragraph 2, letter b), of the Regulation) in consideration of the fact that in the period of the investigation a wide-ranging and significant dialogue developed with the Authority during which the most critical elements of the overall treatment carried out by Alpha Exploration were illustrated to the owner; a further element for the assessment of the Company's conduct lies in the fact that some indications presented in the defense brief, such as the elimination of the reference to direct marketing in the disclosure, were later found not to correspond to the truth, indicating also in this case a management at least superficial and negligent of the structure of the treatments and of the correlated legal bases;
5) as a mitigating factor, the adoption of measures aimed at mitigating the consequences of the violations (Article 83, paragraph 2, letter c), of the Regulation), with reference to the repeated reformulations of the text of the privacy policy and the insertion a specific supplementary section dedicated to interested parties who are located in the territory of the European Union;
6) as a mitigating factor, cooperation with the Authority (art. 83, paragraph 2, letter f), of the Regulation) during the preliminary investigation, which made it possible to acquire complete and timely information on the complex of treatments and to complete the procedural process in a reasonably short time, also having regard to the non-European location of the owner;
7) as a further factor to be taken into consideration for setting the fine (article 83, paragraph 2, letter k), of the Regulation), the economic capacity of the Company, as inferred from the data provided by the same.
Based on the set of elements indicated above, and the principles of effectiveness, proportionality and dissuasiveness provided for by art. 83, par. 1, of the Regulation, and taking into account the necessary balance between the rights of the interested parties and the freedom to conduct a business, in the initial application of the pecuniary administrative sanctions envisaged by the Regulation, also in order to limit the economic impact of the sanction, it is believed that it should apply to the Company the administrative sanction of the payment of a sum of Euro 2,000,000.00 (two million), equal to 10% of the statutory maximum.
In the case in question, it is believed that the ancillary sanction of publication on the Guarantor's website of this provision, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Regulation of the Guarantor n. 1/2019, taking into account the nature of the treatments and the number of subjects involved, as well as the elements of risk for the rights and freedoms of the interested parties.
Finally, the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the provision in the internal register of the Authority provided for by art. 57, par. 1, lit. u), of the Regulation.
ALL THIS CONSIDERING THE GUARANTOR
pursuant to art. 57, par. 1, lit. f), of the Regulations, declares the processing described in the terms of the justification by Alpha Exploration to be unlawful.
Pursuant to art. 58, par. 2, lit. d), of the Regulation, requires the Company to:
- integrate the terms of service by inserting the description of the Clips & Replays with specific reference to the prerogatives of the administrators and the safeguards established in favor of the users who participate in the rooms;
- integrate the information with reference to the legal bases, specifying in greater detail which legal basis applies to each specific processing purpose;
- introduce a function that allows you to learn about the possible recording of a chat before entering the relevant room;
- provide a mechanism whereby, in the event that the Clubhouse has to send an invitation to join the community, addressed to subjects who are not yet users whose data has been acquired from the users' telephone directories, a link is inserted in the text of the invitation which refers to a specific information provided in the interest of non-users, to be included separately on the website, as well as an indication of the origin of the message, in order to allow the recipient to independently operate any relevant further information;
- integrate the information, with reference to the data retention times, specifying which data are subject to the general discipline, which provides for retention until the moment of possible closure of the account, and which data instead are subject to a differentiated conservation regime;
- supplement the information by indicating the contact e-mail address of the designated representative pursuant to art. 27 of the Regulation;
- supplement the information by inserting a link that refers to the list of data processors appointed pursuant to art. 28 of the Regulation, keeping this list duly updated;
- specify, in the act of designation of the representative pursuant to art. 27 of the Regulation, functions and limits of the representative, pursuant to paragraph 4 of the same article and the related recital 80;
- carry out an impact assessment on the processing of personal data carried out through the Clubhouse platform, in the forms provided for by art. 35 of the Regulation.
Pursuant to art. 58, par. 2, lit. f), of the Regulation, imposes on the Company the prohibition of any further processing carried out for the purposes of direct marketing, profiling and sharing of account information, due to the unsuitability of the legal basis pursuant to art. 6, par. 1, lit. b) and f) of the Regulation;
Pursuant to art. 58, par. 1, of Regulation (EU) 2016/679, and of art. 157 of the Code also invites the data controller to communicate within 30 days from the date of receipt of this provision, which initiatives have been undertaken in order to implement the provisions of this provision and in any case to provide adequately documented feedback. Please note that failure to respond to the request pursuant to art. 58 is punished with the administrative sanction pursuant to art. 83, par. 5, letter. e), of Regulation (EU) 2016/679.
ORDER
to Alpha Exploration Co., Inc., with registered office at 548 Market Street PMB 72878, San Francisco, California 94104, USA, to pay the sum of 2,000,000.00 (two million) euros as an administrative fine for the violations indicated in the motivation, representing that the offender, pursuant to art. 166, paragraph 8, of the Code has the right to settle the dispute, with the fulfillment of the instructions given and the payment, within the term of thirty days, of an amount equal to half of the fine imposed.
ENJOYS
to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 2,000,000.00 (two million), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive deeds pursuant to by art. 27 of the law n. 689/1981.
HAS
a) pursuant to art. 17 of the Regulation of the Guarantor n. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lit. u), of the Regulation, of the violations and of the measures adopted;
b) pursuant to art7. 166, paragraph 7, of the Code, and 16 of the Guarantor's Regulation n. 1/2019, the full publication of this provision on the Guarantor's website.
Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal lodged with the ordinary court of the place where the owner of the processing of personal data has his residence, or, alternatively, with the court of the place of residence of the interested party. , within the term of thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.
Rome, 6 October 2022
PRESIDENT
Station
THE SPEAKER
Zest
THE SECRETARY GENERAL
Matthew