A story today in the BBC reports that social app Clubhouse suffered a “data spill” over the weekend.
The article quotes both Clubhouse’s chief technology officer David Thiel and Australian cyber-security researcher Robert Potter arguing a differentiation between a data spill and a data breach. Robert Potter determines that a “data spillage” is different to a “data breach”, in that data breaches are deliberate and usually carried out by someone hacking into a system to steal data whereas a data spillage, on the other hand, is an incident whereby confidential information is released into an environment that is not authorised to have access to the information.
The context of this distinction is not clear from the article. But, according to Mr Thiel, no-one should expect their conversations to actually be private on Clubhouse advising via a Tweet that Clubhouse chats should be considered to be “semi-public”. Wow! Therefore, one could deduce that both Clubhouse and Mr Potter would argue that a breach of security did not take place because of the semi-public nature of conversations on Clubhouse and the fact that it was an authorised platform user who exfiltrated the information. In this way, perhaps a breach of security did not take place at all?
However, in the opinion of the Outsourced DPO, if there was a reasonable expectation that conversations would remain private, sufficient measures should have been implemented for that to be the case under the principles of privacy by design and by default.
From a data protection law perspective, the “spill” seems to clearly fall within the definition of a personal data breach. Both the UK and EU GDPRs define a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (Article 4(12)). This definition hinges on there being a “breach of security” and that is defined in the GDPR as confidentiality, integrity, availability and restorability. Providing access to other peoples’ conversations is a clear failure to provide confidentiality to those data.
It is also relevant to consider Article 25(2) which requires a controller to implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed including the extent of their processing and their accessibility. In particular, they say that the implemented measures should ensure that by default personal data are not made accessible to an indefinite number of other people without the individual’s (i.e. the data subject’s) intervention. It seems to the Outsourced DPO that Clubhouse failed on all counts in this respect.
The article quotes Mr Potter saying “If you’re going to be an early adopter and try out new apps and new smartphones, there’s going to be bugs.” He is quoted as going on to say that ” again and again, we see an app that has really high growth, it goes viral, and then they have a privacy problem, or they find lots of problems that weren’t so big a deal when they were smaller, and cyber-security comes later.” Surely this is not an appropriate way to develop software that is processing personal data?
As to whether the Outsourced DPO will be adding “data spill” to the glossary of terms in DPPs information governance templates… I think not!
Phil Brining – Director – Data Protection People