Ber­lin data pro­tec­tion aut­ho­ri­ty: Posi­ti­on paper and a check­list on the issue of data pro­tec­tion in con­nec­tion with video conferencing

Ser­vices from Micro­soft (par­ti­cu­lar­ly Teams and Sky­pe) and Zoom do not con­form to data pro­tec­tion requirements 

In pro­vi­ding infor­ma­ti­on about data pro­tec­tion during the coro­na­vi­rus pan­de­mic, the Ber­lin data pro­tec­tion aut­ho­ri­ty has issued a posi­ti­on paper (PDF) and a check­list (PDF), both of which are dated 8 April 2020 based on the docu­ment meta­da­ta, in which it dis­cus­ses the issue of data pro­tec­tion in con­nec­tion with video con­fe­ren­cing. While it is good to see the aut­ho­ri­ty take this initia­ti­ve, and par­ti­cu­lar­ly its decisi­on to pro­vi­de spe­ci­fic gui­de­li­nes, its deter­mi­na­ti­on that the ser­vices pro­vi­ded by Micro­soft, spe­ci­fi­cal­ly Teams and Sky­pe, and the video con­fe­ren­cing soft­ware Zoom can­not be used in a man­ner con­forming to data pro­tec­tion requi­re­ments appears debatable.

In its posi­ti­on paper, the Ber­lin data pro­tec­tion aut­ho­ri­ty pur­su­es the goal of avoiding or at least mini­mi­zing risks to data sub­jects in con­nec­tion with video con­fe­ren­cing. At the same time, it urges busi­nes­ses to use solu­ti­ons which con­form to data pro­tec­tion requi­re­ments ins­tead of the non-conforming solu­ti­ons which have been intro­du­ced at short noti­ce in respon­se to the cur­rent situa­ti­on. Spe­ci­fi­cal­ly, the aut­ho­ri­ty recom­mends that video calls and video con­fe­ren­ces should be con­duc­ted exclu­si­ve­ly through encryp­ted chan­nels. This recom­men­da­ti­on may be cal­led sen­si­ble, even though data encryp­ti­on is only one of the pos­si­ble tech­ni­cal data pro­tec­tion mea­su­res cited in Arti­cle 32(1)(a) of the GDPR. Howe­ver, the aut­ho­ri­ty does not spe­ci­fy the degree or type of encryp­ti­on requi­red (e.g. trans­port encryp­ti­on and/or con­tent encryption).

The aut­ho­ri­ty also recom­mends solu­ti­ons ope­ra­ted by the con­trol­lers them­sel­ves (self-hosted solu­ti­ons). But such solu­ti­ons are likely unrea­listic for many com­pa­nies becau­se of the enor­mous expen­se. The aut­ho­ri­ty ack­now­led­ges this fact and allows for the pos­si­bi­li­ty of enga­ging a reli­able ser­vice pro­vi­der as a pro­ces­sor. This view is gene­ral­ly wel­co­me, but the fact that the aut­ho­ri­ty goes right to the opti­on of a pro­ces­sing arran­ge­ment is curious. After all, it is also pos­si­ble that the use of encryp­ti­on means that the GDPR will not app­ly for the video ser­vice pro­vi­der becau­se it will have no access to per­so­nal data. It is also pos­si­ble that the video ser­vice pro­vi­der is its­elf respon­si­ble for ensu­ring pri­va­cy, e.g. if the lat­ter. A mix­tu­re of the­se cate­go­ries may also app­ly, depen­ding on the indi­vi­du­al case.

In addi­ti­on to pro­vi­ders based in the EU or else­whe­re in the Euro­pean Free Tra­de Asso­cia­ti­on (EFTA) zone, the aut­ho­ri­ty also express­ly sta­tes that ser­vice pro­vi­ders based in third coun­tries are accep­ta­ble if they offer an equi­va­lent level of data pro­tec­tion. Asi­de from a decisi­on from the EU Com­mis­si­on fin­ding an equi­va­lent level of pro­tec­tion for per­so­nal data, the aut­ho­ri­ty also right­ly points out the use of stan­dard con­trac­tu­al clau­ses as ano­t­her pos­si­bi­li­ty. In prac­ti­ce, an ade­quacy decisi­on from the EU Com­mis­si­on should be of par­ti­cu­lar impor­t­ance in this con­text for trans­fers of data to US con­trol­lers sub­ject to the EU-US Pri­va­cy Shield. Des­pi­te some cri­ti­cism from the data pro­tec­tion aut­ho­ri­ty, the level of pro­tec­tion actual­ly gua­ran­te­ed by the EU-US Pri­va­cy Shield con­ti­nues to be an important and valid basis for data trans­fers to the US, satisfy­ing legal requirements.

The authority’s other state­ments do not appe­ar to adhe­re strict­ly to cur­rent law. For examp­le, the data pro­tec­tion aut­ho­ri­ty recom­mends that only pro­vi­ders in the EU or the EFTA should be used in cases invol­ving the pro­ces­sing of sen­si­ti­ve data whe­re the pro­vi­der can­not be pre­ven­ted from acces­sing the trans­fer­red audio and video data. But such a dis­tinc­tion based on the provider’s loca­ti­on is not found in the Chap­ter of the GDPR begin­ning with Arti­cle 44. As we have seen, the rele­vant cri­ter­ion is in fact the level of data pro­tec­tion. As a result, this recom­men­da­ti­on is likely not meant to be legal­ly binding.

Risks of Data Processing

In its posi­ti­on paper, the super­vi­so­ry aut­ho­ri­ty also addres­ses the risks of video con­fe­ren­cing, which it iden­ti­fies as the risk of unaut­ho­ri­zed lis­tening or record­ing, as well as fur­ther explo­ita­ti­on of the con­tent. Accord­ing to the data pro­tec­tion aut­ho­ri­ty, this could result in adver­se effects for the peop­le who take part in the video con­fe­rence, as well as tho­se who are men­tio­ned in the dis­cus­sion. The aut­ho­ri­ty notes that this risk mate­ria­li­zes not only if the con­fe­rence is recor­ded by third par­ties, but even if the record­ing is made by the ope­ra­tor of the video sys­tem. The aut­ho­ri­ty rea­sons that the ope­ra­tor can make a record­ing of the con­fe­rence unless it is blo­cked by means of encryp­ti­on, even if this record­ing is made for ana­ly­ti­cal pur­po­ses only. The aut­ho­ri­ty also cites telecom­mu­ni­ca­ti­ons secrecy as ano­t­her argu­ment that such a risk exists. In doing so, it makes the fac­tual­ly cor­rect obser­va­ti­on that telecom­mu­ni­ca­ti­ons secrecy does not app­ly for video ser­vice pro­vi­ders, at least until now, becau­se they do not pro­vi­de telecom­mu­ni­ca­ti­ons ser­vices and ins­tead func­tion as “over-the-top” pro­vi­ders. But it does not fol­low from this obser­va­ti­on that video ser­vices should not be used: in fact, even the aut­ho­ri­ty con­ce­des that this risk can be sub­stan­ti­al­ly mini­mi­zed through a con­trac­tu­al arran­ge­ment, such as e.g. a pro­ces­sing con­tract. The authority’s view that record­ing is never allo­wed, even for the pur­po­se of impro­ving the ser­vice, is in any case uncon­vin­cing. After all, impro­ving or deve­lo­ping the ser­vice is a legi­ti­ma­te pur­po­se and may actual­ly be in the user’s inte­rest. From a legal stand­point, the pro­vi­der may have a legi­ti­ma­te inte­rest in impro­ving the ser­vice in accordance with Arti­cle 6(1)(f) of the GDPR, and record­ing may also be con­duc­ted based on the user’s con­sent in accordance with Arti­cle 6(1)(a) of the GDPR. In cases invol­ving pro­vi­ders based out­side the EU and the EFTA, the aut­ho­ri­ty also sees a vague risk in con­nec­tion with the fact that the pro­ces­sing con­tract and other con­trac­tu­al arran­ge­ments will have to be enfor­ced in a for­eign legal sys­tem, and it recom­mends that the agree­ment con­sist ent­i­re­ly of stan­dard con­trac­tu­al clau­ses. In this docu­ment, the aut­ho­ri­ty does not devo­te any fur­ther dis­cus­sion to the fact that stan­dard con­trac­tu­al clau­ses are not the only legal basis for trans­fers to third coun­tries in accordance with the GDPR.

The Authority’s Recommendations

In its recom­men­da­ti­ons, the Ber­lin data pro­tec­tion aut­ho­ri­ty advi­ses com­pa­nies to use con­fe­rence calls whe­re­ver pos­si­ble ins­tead of video con­fe­ren­cing, noting that con­fe­rence calls are “much easier to con­duct in a man­ner con­forming to data pro­tec­tion requi­re­ments.” Regard­less of the ques­ti­on as to whe­ther this is actual­ly the case, this recom­men­da­ti­on will likely be unhel­pful for many com­pa­nies in prac­ti­ce: the use of video con­fe­ren­cing soft­ware, fea­turing mode­ra­ti­on opti­ons and the abi­li­ty to share one’s screen, offers who­le new pos­si­bi­li­ties for col­la­bo­ra­ti­on. The aut­ho­ri­ty also makes refe­rence to solu­ti­ons which are ope­ra­ted by the con­trol­lers them­sel­ves and by Euro­pean pro­vi­ders, but does not men­ti­on any spe­ci­fic pro­ducts, as the Data Pro­tec­tion Com­mis­sio­ner for the Sta­te of Baden-Württemberg recent­ly did.

State­ments Con­cer­ning Ser­vices from Micro­soft and Zoom

The aut­ho­ri­ty then once again addres­ses the issue of “non-European ser­vice pro­vi­ders,” but men­ti­ons only pro­vi­ders from the US. It obser­ves that the afo­re­men­tio­ned risk of record­ing exists even with pro­vi­ders which have a con­trac­tu­al con­ta­ct per­son in Euro­pe, but who­se ser­vice is lar­ge­ly pro­vi­ded by non-European ser­vice pro­vi­ders which are mem­bers of the same cor­po­ra­te group. The aut­ho­ri­ty sta­tes that this risk has to be mini­mi­zed through sepa­ra­te gua­ran­tees, which is often not the case. Spe­ci­fi­cal­ly, the aut­ho­ri­ty sta­tes as follows:

“The most pro­mi­nent examp­les are the ser­vices pro­vi­ded by Micro­soft Cor­po­ra­ti­on (e.g. Micro­soft Teams), inclu­ding its sub­si­dia­ry Sky­pe Com­mu­ni­ca­ti­ons SARL, which is based in Luxem­bourg (with the pro­duct of the same name).”

The aut­ho­ri­ty does not dis­cuss how it reached the con­clu­si­on that the­re is a signi­fi­cant risk that Micro­soft will fail to honor its con­trac­tu­al agree­ments and that it will not be pos­si­ble to enfor­ce any claims or con­trac­tu­al rights in the US. It also fails to men­ti­on Microsoft’s data resi­den­cy model, which express­ly assu­res Ger­man cus­to­mers of Micro­soft Teams and Sky­pe for Busi­ness that their data will be stored in Ger­ma­ny. Taking the­se aspects into con­si­de­ra­ti­on, the authority’s con­clu­si­on with respect to mini­mi­zing risk seems by no means compelling.

The aut­ho­ri­ty sees the afo­re­men­tio­ned risks even in cases whe­re a con­tract is con­clu­ded with the­se pro­vi­ders direct­ly. Even in that case, it takes the view that addi­tio­nal legal gua­ran­tees are requi­red in order to over­co­me the risk ari­sing from trans­fers to a third coun­try. In the case of Zoom Video Com­mu­ni­ca­ti­ons Inc., the aut­ho­ri­ty sta­tes that such gua­ran­tees have not been pro­vi­ded, at least as of 2 April 2020. The aut­ho­ri­ty does not cite more spe­ci­fic grounds for its decisi­on in this docu­ment, but the authority’s press release of 31 March 2020 sta­tes as follows:

“Note: the­re are ser­vice pro­vi­ders from the US with lar­ge mar­ket shares which do not meet this requi­re­ment becau­se they are not ade­qua­te­ly regis­tered or offer the stan­dard con­trac­tu­al clau­ses only in modi­fied form. As of this prin­ting, one examp­le is Zoom Voice Com­mu­ni­ca­ti­ons, Inc.”

But even from this state­ment, it is not clear why the Ber­lin data pro­tec­tion aut­ho­ri­ty finds Zoom’s regis­tra­ti­on under the EU-US Pri­va­cy Shield to be ina­de­qua­te. It is also not evi­dent which defects the aut­ho­ri­ty has iden­ti­fied in the stan­dard con­trac­tu­al clau­ses used by Zoom. Both of the­se would be very hel­pful for con­trol­lers to know, sin­ce other­wi­se inst­ruc­tions can­not be issued to Zoom in the pro­ces­sing contract.

Con­clu­si­on

It is clear from the publis­hed docu­ments that the Ber­lin data pro­tec­tion aut­ho­ri­ty takes the posi­ti­on that ser­vices from Micro­soft, spe­ci­fi­cal­ly Teams and Sky­pe, and the Zoom video con­fe­ren­cing solu­ti­on (the lat­ter updated as of 2 April 2020) do not con­form to data pro­tec­tion law. The aut­ho­ri­ty express­ly cla­ri­fies this point once again in its publis­hed check­list, which sta­tes as fol­lows:
“We would point that the pro­vi­ders of some wide­ly used pro­ducts do not satisfy the con­di­ti­ons cited abo­ve, inclu­ding Micro­soft, Sky­pe Com­mu­ni­ca­ti­ons and Zoom Video Com­mu­ni­ca­ti­ons.“
Howe­ver, sin­ce the docu­ments deal both with the legal requi­re­ments for the use of video con­fe­ren­cing solu­ti­ons and with the authority’s recom­men­da­ti­ons, it is not necessa­ri­ly the case, in our view, that the aut­ho­ri­ty is taking the posi­ti­on that using the­se pro­ducts would vio­la­te the law. This inter­pre­ta­ti­on is sup­por­ted by the fact that the aut­ho­ri­ty merely says that the­se ser­vices “should” be repla­ced, not that they “must” be repla­ced, as well as the fact that the aut­ho­ri­ty does not cite any spe­ci­fic defects. Nevertheless, con­trol­lers which use the afo­re­men­tio­ned ser­vices should remain alert. Respon­ses from affec­ted com­pa­nies and fur­ther state­ments from the Ber­lin data pro­tec­tion aut­ho­ri­ty may bring fur­ther clarity.

back

Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.