Zoom adjusts privacy terms after intensive consultation with SURF
After intensive consultation with SURF, Zoom is making changes to the privacy agreements for all Education and Enterprise users in Europe. In addition to these changes and new contractual agreements, SURF advises institutions to implement a number of recommended measures themselves and make new agreements with Zoom. Once these are implemented there will no longer be any high privacy risks for those involved in using Zoom videoconferencing services, this also applies to highly confidential communications.
Cause
The reason for the adjustments is the discussions SURF and Zoom had after an initial Data Protection Impact Assessment (DPIA) was conducted in May 2021. This was commissioned by the Dutch government (SLM Rijk) and SURF. A DPIA is a tool that identifies privacy risks to data subjects. Under the General Data Protection Regulation (GDPR), a DPIA is necessary when there is likely to be a high risk to data subjects. This includes when there is large-scale processing of personal data or processing of sensitive personal data.
Adjustments
Zoom, in collaboration with SURF, has eliminated the privacy risks identified in the first DPIA of May 2021 by making changes to the software, processing agreements and committing to future changes. The new DPIA, published below this post, outlines these contractual and technical changes. For example, since November 2020, end-to-end encryption in both one-to-one and group conversations has been possible, and Zoom commits to processing virtually all personal data in the European Union by the end of 2022. Zoom and SURF have agreed on this, which are included in an agreement. For data going outside the European Economic Area (EEA), a Data Transfer Impact Assessment (DTIA) has been carried out which shows that there are appropriate safeguards for data transfer.
Belangrijkste maatregelen die uit de DPIA naar voren zijn gekomen
SURF and Zoom have agreed on several actions as part of the collaboration for the DPIA. These include:
Development of new privacy options
- Solutions for locating data: there are privacy concerns about processing personal data in the US. Therefore, European customers prefer all personal data to be processed in the EU. Zoom has committed, in consultation with SURF, to make this possible by the end of this year at the latest.
- EU support services: Zoom will establish a separate EU help desk by mid-2022 to support EU accounts during EU business hours. If an EU account needs support outside these hours, or has an escalation requiring support outside the EU, Zoom will only provide such support if the customer explicitly orders it.
- View requests: Zoom will enhance the ability for customers to respond to view requests through self-service tools for account administrators at enterprise and educational institutions.
- Communication preference center: Zoom will develop a marketing preference self-service tool for all account owners by the end of 2022.
Improved transparency and documentation
- Privacy datasheet: Zoom has improved its public documentation on the processing of personal data with the publication of a privacy datasheet that will be regularly updated.
- Modified Data Transfer Impact Assessment (DTIA): Zoom has completed a new DTIA based on a format created by Swiss legal scholar David Rosenthal. The DTIA demonstrates that the privacy risks to individual Zoom users are negligible.
- Clarification of Zoom's roles and responsibilities: Zoom has agreed to reclassify itself as a data processor for all personal data. Except for a limited list of situations where the university or college (the “controller”) authorizes Zoom to “further” process some personal data. This also applies when Zoom processes personal data through its publicly accessible website.
Improving data protection by Zoom
- Retention of personal data: Zoom has clarified and minimized how customer personal data is retained.
- Privacy by design and standards: Zoom will implement more robust privacy by design and default processes throughout the product development lifecycle.
- Employee training: Zoom is implementing new training for its employees to ensure they always consider privacy protection when providing support to EU customers.
Measuring progress.
Together with SURF, Zoom has developed a roadmap outlining all agreed measures for improved data protection. SURF and Zoom will meet every two months and document progress.
Documentation DPIA
Below you will find all the documentation surrounding the DPIA conducted on Zoom and the manuals to carry out the technical actions.
