Video conferencing: Using Zoom in compliance with data protection law

Stefan Hessel

Video conferencing service provider Zoom has made adjustments to its privacy policy following an exchange with SURF, an association of Dutch education and research institutions. In its new data protection impact assessment (DPIA), SURF therefore concludes that there are no great data protection risks associated with the use of Zoom. For the transfer of personal data to third countries, a data transfer impact assessment was also carried out, which confirms the existence of appropriate safeguards for the data transfer.

The main actions agreed between SURF and Zoom are:

  • Development of new data protection functions

Zoom will offer data localisation solutions and mandatorily enable processing in the EU of the personal data of Zoom's European customers by the end of this year. Zoom will establish an EU support service by mid-2022. In case of required assistance of a support outside the EU, the explicit consent of the customer is required. Zoom will improve its ability to handle and respond to requests for information through two self-service tools for corporate and educational account administrators. By the end of 2022, Zoom will build a self-service tool for everyone.

  • Improved transparency and documentation

Zoom has published a Privacy Data Sheet (PDF), which provides public documentation on the processing of personal data and will be updated on an ongoing basis. A new data transfer impact assessment shows that data protection risks from third-country transfers for Zoom customers are minor. Zoom has also clarified that, in principle, the company itself is the controller of all personal data. To the extent that educational and business customers use Zoom as a processor, Zoom is authorised by them to process some personal data under its own responsibility.

  • Improving data protection practices

Zoom has clarified and minimised its practices for retaining personal customer data. Zoom will implement improved privacy-by-design and default processes throughout the product development lifecycle. Internally, new employee training is being introduced to ensure improved data protection by each individual employee.

  • Joint continuous evaluation of progress at two-month intervals

In addition to Zoom's changes, SURF advises implementing additional measures on your own and entering into new data processing agreements with Zoom. With the implementation of these measures, customers should be able to use Zoom for highly confidential communications and no longer be exposed to the data protection risks previously classified as high.

For this purpose, SURF has published recommendations on appropriate Zoom settings (PDF) (for administrators (PDF) as well as for end users and hosts (PDF)).

Practical implications: Can Zoom be used in a GDPR-compliant manner?

When implementing Zoom, numerous data protection issues arise due to the processing of personal data. The DPIA from the Netherlands, which has now been published, and our practical experience show that GDPR-compliant use of Zoom is possible if certain data protection measures are observed. If you want to use Zoom in your company or a public body, the decisive question is therefore not whether it can be used in a way that complies with data protection law, but rather what data protection measures are required for GDPR compliance.

To answer this, we recommend the following five steps:

  • Conduct a data protection impact assessment in accordance with Article 35 GDPR to identify data protection risks and necessary remedial measures, as well as for documentation purposes.
  • Identify usage scenarios and determine groups of data subjects and categories of data in order to be able to define processing operations and purposes of processing.
  • Ensure a legal basis for all specified processing purposes.
  • Assess the risks to the rights and freedoms of data subjects based on the respective usage scenarios.
  • Implement technical and organisational mitigation measures to minimise and eliminate identified risks.

Summary

It is possible to use Zoom in a way that complies with data protection regulations, but this requires that controllers take active steps, implement measures and, above all, document them. It remains to be seen whether the national data protection authorities and the European Data Protection Board will endorse this view. However, Zoom has once again demonstrated its willingness to make improvements in the area of data protection and cybersecurity when justified criticism is brought to the company's attention. German data protection regulators in particular should take note of this when considering issuing product warnings (only in German) or taking action against data controllers due to the use of Zoom in the future.

[March 2022]