What Data Protection Officers Have to Consider Using Zoom Video Conference
In the past two years, video conferencing, and in particular, the use of Zoom, has skyrocketed. Offices and classrooms struggle to enable an engaging remote experience while maintaining efficient communication with classmates and teammates.
Therefore, the use of services for video and online conferences, classes, meetings, or webinars, such as Zoom, is often desirable. When using such a tool, however, the privacy and data protection requirements of the GDPR must be complied with, even in times of crisis. When selecting the appropriate solution, a company or organization should carefully review and weigh the legal and technical circumstances and document the decision-making process.
Various types of data are processed when using Zoom depending on how much identifying information the user provides to start an online meeting which at least requires a name to participate in an “online meeting” or to enter the “meeting room.”
When creating an account or adding more personal data, Zoom is subject to process the following data:
- User details:
First name, last name, telephone (optional), e-mail address, password (if “single sign-on” is not used), profile picture (optional), Department (optional)
- Meeting metadata:
Topic, description (optional), attendee IP addresses, device/hardware information.
- If recording (optional):
MP4 file of all video, audio, and presentation recordings, M4A file of all audio recordings, a text file of online meeting chat.
- For dial-in with the telephone:
Information on the incoming and outgoing call number, country name, start and end time. If necessary, further connection data such as the IP address of the device can be stored.
In April of 2020, The Federal Trade Commission (FTC) criticized Zoom for its vague definition of end-to-end encryption (E2E) and hypocritically storing cryptographic keys. Zoom later added their E2E settings to allow data to stay between two zoom users, but this setting does not default and has to be turned on in Zoom’s settings.
Another issue Zoom experienced was “Zoom bombings,” which allowed anyone with a Zoom ID code to enter a call. This caused Zoom to add a waiting room feature to enable the administrator to individually let users join a call as well as a password-protected call, etc. Similarly, the Zoom password was hackable in less than 30 minutes, so the company replaced the six-digit password with alphanumeric characters and admin-created passwords.
Many more security issues, such as selling data to Facebook of users who logged into the social platform from Zoom and the software downloading itself on iOS devices, and being able to turn participant’s cameras on and forcibly adding users to a call. Chat boxes have also been an issue since hackers could tamper and create malicious GIF files (which were banned) and any file ex.: Compressed files like .zip files, Untitled.html, Untitled. Properties, Untitled.rtf, and Untitled.txt. The admin can still decide which kinds of files are allowed to be sent in the chatbox.
Video conferencing for companies does not necessarily have to pose a security risk. In addition to the location of the servers and the service provider, the following aspects should also be viewed and evaluated when selecting the software that is right for you:
- Is there a business version of the desired tool? These versions often offer even higher security standards. Is business use permitted?
- Does the video conferencing system offer data protection-friendly process and setting options (Art. 25 (2) DS-GVO)?
- Does the transmission take place in encrypted form? How is the information encrypted (e.g., end-to-end)?
- Is explicit consent required for on-screen transmission or recording?
- Are call histories and recordings deleted after the end of the call? If not, can this be changed?
- Are behavioral profiles of the participants created? If yes, can this feature be turned off
- For any tracking, observation, logging, screen sharing, and recording functions, we recommend constantly checking whether these functions are essential and/ or can be turned off in settings
Although Zoom has been criticized many times, the company is constantly working with security researchers to find flaws and has addressed and fixed most of the alarming security issues. Users should still be aware of phishing emails with zoom invites sent with common subjects like “Zoom invite” and request the client to log in. Zoom Administrators and users are also advised to create password-protected meetings, use the waiting room feature and lock the session once everyone is in attendance.
Nevertheless, asking 2B Advice data privacy experts for consultation is always the safest to insure the tools your employees are using meet data privacy standards.
Initially, the EU Whistleblower Directive was supposed to be effective by December 17, 2021. However, the legislative process failed.Right of Access by the Data Subject
The right of access, enshrined in Art. 15 of the GDPR, gives data subjects the right to obtain from the controller.Subject Access Request Automation
Individuals have the right to access their personal data, commonly referred to as subject access. But can this process be automated?