Is “Data Spill” The Latest Buzz Word In The World Of Data Protection

By Myles Dacres

A story today in the BBC reports that social app Clubhouse suffered a “data spill” over the weekend.

The article quotes both Clubhouse’s chief technology officer David Thiel and Australian cyber-security researcher Robert Potter arguing a differentiation between a data spill and a data breach.  Robert Potter determines that a “data spillage” is different to a “data breach”, in that data breaches are deliberate and usually carried out by someone hacking into a system to steal data whereas a data spillage, on the other hand, is an incident whereby confidential information is released into an environment that is not authorised to have access to the information.

The context of this distinction is not clear from the article.  But, according to Mr Thiel, no-one should expect their conversations to actually be private on Clubhouse advising via a Tweet that Clubhouse chats should be considered to be “semi-public”.  Wow!  Therefore, one could deduce that both Clubhouse and Mr Potter would argue that a breach of security did not take place because of the semi-public nature of conversations on Clubhouse and the fact that it was an authorised platform user who exfiltrated the information.  In this way, perhaps a breach of security did not take place at all?

However, in the opinion of the Outsourced DPO, if there was a reasonable expectation that conversations would remain private, sufficient measures should have been implemented for that to be the case under the principles of privacy by design and by default.

From a data protection law perspective, the “spill” seems to clearly fall within the definition of a personal data breach.  Both the UK and EU GDPRs define a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (Article 4(12)).  This definition hinges on there being a “breach of security” and that is defined in the GDPR as confidentiality, integrity, availability and restorability.  Providing access to other peoples’ conversations is a clear failure to provide confidentiality to those data.

It is also relevant to consider Article 25(2) which requires a controller to implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed including the extent of their processing and their accessibility.  In particular, they say that the implemented measures should ensure that by default personal data are not made accessible to an indefinite number of other people without the individual’s (i.e. the data subject’s) intervention.  It seems to the Outsourced DPO that Clubhouse failed on all counts in this respect.

The article quotes Mr Potter saying “If you’re going to be an early adopter and try out new apps and new smartphones, there’s going to be bugs.”  He is quoted as going on to say that ” again and again, we see an app that has really high growth, it goes viral, and then they have a privacy problem, or they find lots of problems that weren’t so big a deal when they were smaller, and cyber-security comes later.”  Surely this is not an appropriate way to develop software that is processing personal data?

As to whether the Outsourced DPO will be adding “data spill” to the glossary of terms in DPPs information governance templates… I think not!

Phil Brining – Director – Data Protection People 

Contact Us

Send us a Message

Data Protection Project
GDPR Gap Analysis/Audit/Review
Outsourced Privacy Officer/DPO
Support Desk
SAR Support
Cyber Maturity Assessment
NIS Regulations
Information Governance Documentation
DataWise System

We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here

We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here

Data Protection People Limited – March 2021