The Clubhouse App in Italy: When is a GDPR Representative not a GDPR Representative?

With large GDPR fines increasingly common, the enforcement action brought by the Data Protection Authority in Italy (the Garante) against Alpha Exploration Co. Inc. (the company which provides the Clubhouse app service), didn’t attract the headlines which it might have in the past.

That’s a shame because, in addition to the significant €2,000,000 fine, some previously unanswered questions relating to the GDPR Article 27 Representative arose during their investigation and subsequent enforcement action.

For the purposes of this article, I will deal only with the issues which arose relating to the GDPR Representative, but this enforcement action also covers a number of other interesting areas (including consent, legitimate interests, profiling, when to undertake a DPIA), so I’ve added links at the bottom of this article. Please note that quotes in this article from the official transcript have been translated from the original Italian.

The situation:

The Clubhouse app grew exponentially during the lockdown periods of the pandemic, turning it into a global phenomenon from its beginnings as a small app for groups of US-based friends. At some point it became apparent to the provider that it was being used across the world, and was therefore potentially under the jurisdiction of the GDPR for EU-based users.

Although the company behind the app sought at that time to put GDPR protections in place, it appears that those measures weren’t sufficient and – in the face of multiple public questions about the compliance of the app and a report submitted to them setting out a number of specific concerns – the Garante decided to investigate.

Clubhouse’s GDPR Representative

When they realised their obligation to meet the requirements of GDPR, Clubhouse appointed a GDPR Representative because they lacked a location in the EU. However, there were two issues with Clubhouse’s Representative appointment, which the Garante insisted were made right as part of the package of enforcement measures.

1)?????Accessibility

Clubhouse had listed their Representative appointment in their privacy notice, but had done so in a way which made contacting the Representative more difficult than it should have been. Specifically, there was an insistence by Clubhouse that they be contacted directly at the same time as the Representative, and no email method of communication with the Representative was provided (there was a link to an online portal where the Representative could be contacted, and the address of at least one EU-based contact location).

Because of the insistence by Clubhouse that they should be contacted at the same time as their Representative, they were deemed to have placed an additional burden on the data subject seeking to exercise their rights. With the only other option for the data subject being to access a portal on a different website (subject to a different privacy notice) rather than giving them the option to raise an email, and by insisting that they were included directly in communications, Clubhouse “totally empt[ied] the meaning of the designation of a representative in the European Union”.

2)?????Authority

When a data subject visited the Representative’s portal to submit their request, the Representative had characterised their appointment by Clubhouse as that of a “mediator or facilitator”. In the view of the Garante, supported by GDPR Article 27 and Recital 80, the Representative should not be limited to that of a “mediator or facilitator”, as that description implied they were taking up the role of an independent third party acting between the data subject and data controller, without being committed to follow the interests of either.

The Garante stated that this is not the role of the Representative, and confirmed that it should instead be a mandated contractor acting on behalf of their client. Because the Representative was effectively claiming an indirect relationship with their client rather than the direct arrangement required by GDPR Article 27(1), the appointment of the Representative had not met the requirements of GDPR.

Observations

It should be noted that neither GDPR, nor the guidance relating to it, specify precisely what method(s) of contact must be made available for the GDPR Representative of a company outside the EU.

The author considers it implied that a postal contact location for the Representative in the EU should be provided – to do otherwise would also likely (to use the Garante’s terminology) “empty the meaning” of the Representative’s appointment; if you can’t reach them in the EU, what purpose do they serve? In line with EDPB guidance 03/2018, that address should be in the EU country where their client has the largest number of EU data subjects, and it may also be necessary to include addresses in other countries to ensure the Representative “remain[s] easily accessible for data subjects in Member States where it is not established” (EDPB guidelines 03/2018).

The insistence that an email address be provided appears to be a new expectation, but probably a sensible one. Although it is important that the Representative be contactable by physical mail (especially for those who prefer not to engage online), in practice the bulk of communications relating to data subject access requests are made electronically, so including an electronic point of contact is a logical expectation. Although an online portal had been provided by Clubhouse (the provision of which did not in itself appear to be an issue), by forcing the data subject to visit that website and submit data via that portal, Clubhouse had made the process of raising a request to their Representative more difficult than it should have been, thereby limiting data subjects’ access to their rights.

To my mind, the question remains open as to whether it would be acceptable to omit an email contact to the Representative where these is no insistence that the communications also be made to their client at the same time, but I would encourage companies which are required to appoint a Representative not to put this to the test – apart from anything, to do so would be completely unnecessary where their Representative provides an email address for this purpose (doing so is customary across the Representative sector). In general, it can only benefit data subjects (and therefore GDPR compliance) to provide data subjects with as many options as can reasonably and proportionately be made available to exercise their rights; conversely, limiting the routes by which they can access their rights is likely to be viewed negatively by EU authorities.

Regarding the point as to the authority of the Representative to act of behalf of their client, I believe that aspect of the Representative appointment role has never been in doubt – certainly GDPR itself is clear that the Representative should be able to act on behalf of their client, rather than simply facilitating a conversation between them and their data subjects. I would advise caution over using a provider of the GDPR Representative service which wished to claim otherwise – this enforcement action indicates that, in (presumably) seeking to shield themselves from potential liability by claiming an indirect role, those providers could be putting their clients at risk of non-compliance.

Conclusion:

When appointing an EU GDPR Representative:

1. Make it as easy as possible for your data subjects (and the EU data protection authorities) to contact your Representative:

Ensure that, as well as a physical contact location established in the appropriate EU country(ies), an email address will be made available at which the Representative can be contacted by data subjects (and include both on your privacy notice).

Do not attempt to limit the data subject’s right to contact the Representative by placing barriers to doing so (e.g. requiring that they visit another website, or that those communications must also be simultaneously made to the data controller directly).

1. Ensure that the Representative has been contractually appointed to act on your behalf, rather than just being a facilitator or intermediary between you and European data subjects and authorities

Tim Bell is Managing Director of DataRep (www.datarep.com), a leading provider of GDPR Representative services in the EU, EEA and UK. If your company processes EU personal data and has no EU location, you may need a GDPR Representative – get in touch for a free consultation.

Original decision: https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9828901 (in Italian only)

EDPB report: https://edpb.europa.eu/news/national-news/2023/clubhouse-fined-eur-2-million-italian-sa_en

GDPRhub summary (including English translation): https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9828901&mtc=today

EDPB guidance 03/2018: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en