Safe cloud use: Zoom and SURF together provide seat belts and airbags

Zoom is popular in the Netherlands, but still struggled with a nine privacy issues in 2020. Meanwhile, Zoom can safely be used in Dutch education and research: the Data Protection Impact Assessment (DPIA) on Zoom indicated that using Zoom's video conferencing services no longer poses high risks to users. A great result of an extraordinary public-private partnership project. For this, however, a number of hurdles had to be taken. SURF and Zoom took up that challenge together.

The extra step

That shows very nicely the willingness to achieve a good result together. We all go the extra mile in this special collaboration project”. Because you can call this project of SURF and Zoom a special cooperation. It is already exceptional that a European and an American party cooperate so closely in the field of privacy. But in addition, it is also a public-private partnership. How did it come about and what was the result?

Video conferencing popular during corona

It actually all started in March 2020. Exactly: at the beginning of the corona crisis. That's when the demand for videoconferencing services exploded. In Dutch education, the use of Zoom increased rapidly. That led to questions about privacy protection: did Zoom adequately protect the data of European users?

Initially, SURF and Zoom came to temporary agreements. Then, in October 2020, SURF and the government initiated a DPIA. The DPIA was conducted in collaboration with Privacy Company, a privacy and data protection consulting firm.

What is a DPIA?

DPIA stands for Data Protection Impact Assessment. It is a tool to identify privacy risks of a data processing for users (for example, by applications such as Zoom). And then to take measures to reduce those risks. It follows from the General Data Protection Regulation (AVG) that a DPIA is legally required if there is likely to be a high risk to users, such as large-scale processing of personal data or sensitive personal data.

First DPIA

Sandy Janssen, project leader from SURF: “For this first DPIA, we held a number of discussions with Zoom. In the DPIA, we mapped out the privacy risks for users posed by the use of Zoom. This led in May 2021 to the advice to SURF members to be cautious when using Zoom and not to use the service to process sensitive data. There were too many high privacy risks to users and insufficient prospect that Zoom would resolve the risks found.”

Glory: “Those conversations were the beginning of the collaboration between SURF and Zoom. I had just joined Zoom and was faced with all kinds of difficult questions from Privacy Company's privacy experts, about our data processing. As a privacy lawyer, I actually immediately saw all those questions as something positive: if the Dutch government conducts a DPIA, you know they are interested in your product. But not everyone in our company thought that way: some saw the DPIA as an audit by a regulator.”

More transparency needed

That didn't diminish when the first DPIA turned out negatively for Zoom. Sandy: “The main privacy risk was in the processing of personal data: Zoom was operating as a data controller for most data, but should be acting as a data processor. As a result, institutions using Zoom had less control over users' data. Furthermore, Zoom had to become more transparent about what data it was processing and for what purpose. Another issue was that the data was stored in the United States.

"As a privacy lawyer, I actually immediately saw Privacy Company's tough questions as something positive."

Glory Francke (Zoom)

Great gift

Thus began the project to conduct a new DPIA on Zoom. For this DPIA, SURF had taken over the lead role from the Dutch government. Privacy Company again provided the privacy experts who supported with the research. Sandy: “We were very happy that Glory was able to convince her colleagues to start the collaboration with SURF. Zoom no longer saw the DPIA as an audit, but as an opportunity to learn what the AVG requires, and how to adapt your product to best protect the privacy of European users.”

Working sessions in a collegial atmosphere

Starting in November 2021, Zoom and SURF held intensive work sessions, which were also attended by Privacy Company's privacy experts. Those sessions naturally addressed the larger issues, such as role clarity and transparency. But details were not lost sight of either, such as the use of cookies.

“It was really nice to see how committed the people at Zoom were to this project,” Sandy said. “Once they had management approval to start the collaboration, it no longer felt like we were sitting across from each other, but rather - in a well-nigh collegial atmosphere - we were working together toward a solution.”

That dedication, by the way, is also evident in the fact that Zoom freed up a lot of capacity for this project. Glory: “We took a company-wide approach to this. We involved colleagues from different disciplines in this project to come up with good solutions to the issues: lawyers, technical people, and so on. All of them participated in the working sessions. To implement the solutions, we freed up capacity and redesigned processes in operations.”

''It was very nice to see how dedicated the people at Zoom were to this project."

Sandy Janssen (SURF)

Learning how to apply the AVG

The AVG is new, and it's a European law. As a result, Zoom ran into challenges implementing it. Glory: “The AVG is a principle-based law. For example, one of the principles is that you have to apply privacy-by-design when developing your products. That makes the law flexible, but it does present us with the question of how to apply those principles in our products. SURF has been a great help in helping us apply the AVG, bringing our products more in line with what our customers want.”

Through its collaboration with SURF, Zoom has now resolved many issues. For example, Zoom is more transparent about how they process data, and a processor agreement is now in place. Zoom is also now a processor for a lot of users' personal data, and they also make it clearer when they are data controllers and when they are processors. Furthermore, Zoom has agreed to process almost all personal data of European users in Europe by the end of 2022, and a support center is being set up in Europe. After all, data is also processed when providing customer support. Zoom has also improved the security of video calls, including the introduction in October 2020 of end-to-end encryption, as an option in Zoom Meetings.

Second DPIA: no more high risks to users

All this led to the publication of the second DPIA on Zoom in March 2022, on the basis of which SURF gave a positive opinion for the use of Zoom products. SURF believes that Zoom has made sufficient adjustments to the privacy arrangements for all Education and Enterprise users in Europe. Also for highly confidential communications and sensitive personal data.

Sandy: “Institutions can now enter into the processor agreement with Zoom that we drafted in this project. Institutions can also use the DPIA for their own assessment of privacy risks to users. They can do that by, as a follow-up to SURF's work, determining themselves whether Zoom has sufficiently mitigated the risks. After all, institutions themselves remain responsible for the privacy of their staff and students. SURF helps with this, by maintaining contact with the supplier and by offering information to the institutions, such as the DPIA with accompanying documentation.”

“Engage in collaboration”

Glory: “We have come this far thanks to the fruitful cooperation with SURF. So I would wholeheartedly recommend to other service providers who have to deal with a DPIA: don't see the party conducting the DPIA as the enemy, but engage in cooperation! Think of it as a learning process. At the beginning of the 20th century, the automobile was on the rise, but there were no seat belts and airbags yet. Those came later. That's how I see working on a DPIA: through projects like this we are making our services ever safer and more reliable.”

"By working well together, you can reach a solution that is satisfactory to all parties."

Sandy Janssen (SURF)

Everyone satisfied

Sandy also looks back on the DPIA project with Zoom with a good feeling. “Here in Europe, we sometimes wonder whether we shouldn't better stop using American services. After all, cooperation on privacy protection is often difficult. This project shows that it can be done: by working well together you can reach a solution that is satisfactory to all parties. You can see that here: we are happy because our institutions can now use Zoom, a popular tool, safely. An additional advantage of this approach is that a lot of preliminary work has already been done this way: the institutions can use the DPIA to assess the risks for their own users. This is much more efficient than having each institution conduct a full DPIA itself. And Zoom is happy because the use of their videoconferencing service no longer has high risks for users.”

How to proceed?

With this second DPIA, the collaboration between Zoom and SURF does not end. Glory: “Zoom is still implementing a number of solutions, my colleagues are busy with that. We at SURF will regularly check whether new product features meet the agreements made in the DPIA.” Even after that, SURF and Zoom will keep talking to each other, because compliance is not a one-time thing. Processes, products but also laws and regulations can change, making new agreements necessary.

Text: Jan Michielsen