DP News – Week 49. Italy’s Garante fines Clubhouse owner 2M EUR, France’s CNIL issues guidance on Sale of customer files.

‘Tough days for big techs’ seem to continue in the EU and take the stage in Italy as the local supervisory authority, Garante, published a press release and revealed an imposition of a 2M EUR fine on the US company Alpha Exploration owning Clubhouse.

Among violations found by Garante are: lack of transparency on the use of user data and their ‘friends’; possibility for users to store and share audio without the consent of registered persons; profiling and sharing of account information without the identification of a correct legal basis; indefinite time to keep recordings to combat any abuse. Clubhouse was also prohibited from any further personal data processing for marketing and profiling purposes without specific consent.

Alpha Exploration will also have to put in place supplementary measures to protect users – in particular: to introduce a feature that allows them to be informed, before entering the conversation room, about the possibility of the chat being recorded, to introduce a mechanism to inform those who are not yet users about how their personal data will be used, to supplement fair processing information, specifying what legal basis applies to each purpose of the processing, the retention periods of personal data and audio files, the necessary information regarding the representative in the EU. Alpha Exploration will also have to carry out DPIA.

Meanwhile, France’s supervisory authority, CNIL, published a guidance on Sale of customer files (https://www.cnil.fr/fr/vente-de-fichiers-clients-la-cnil-rappelle-les-regles). According to the guidance, it is not prohibited by the GDPR, but must be done in compliance with certain specific obligations.

As CNIL explains, “only files that have been created from the outset in compliance with the regulations may be sold”. CNIL also highlights other rules to be followed:

– the file sold should only contain active customer data (as a general rule, a customer is deemed active within 3 year after the end of contractual relationships);

– only the data of customers who have not objected to the transmission of their data or who have consented to it may be sold;

– fair processing information should be provided to customers;

– consent must be obtained for direct marketing contacts as required;

– all other individual’s rights should be respected (in particular, when contacted via any communication channel, an individual should be given the opportunity, in a simple way, to opt-out of any further communications.