Zoom enhances privacy functionality for education across Europe through partnership with SURF

Zoom verbetert privacy-functionaliteit voor educatie

We are proud to announce that Zoom has reached the next milestone for corporate and educational customers in the Netherlands and across the EEA: The long-standing close collaboration with SURF has led Zoom to refine and update its privacy policy and implement important privacy and security measures. This fulfills Zoom's obligations as agreed in the published DPIA of 2022.

Zoom has been working to fulfill agreements made with SURF to deliver an even more secure digital environment to educational and business customers in Europe. Lynn Haaland, Chief Privacy Officer at Zoom explains, “Working with SURF has really helped refine and validate our policies and features around data localization capabilities in Europe - and that is now open to all of our business and educational customers. SURF is known internationally for its robust approach in working with tech companies, which is why we are so pleased to have won SURF's trust. We believe this demonstrates Zoom's continued commitment to Zoom customers across the EEA.”

As a result of the updated DPIA, conducted by Privacy Company on behalf of SURF, Zoom has made significant progress in adapting to EU privacy standards. In doing so, Zoom has taken a proactive approach, namely that of privacy by design and privacy by default. Some of the measures taken include:

  • The amount of personal data processed exclusively in the EU has been greatly increased: although Dutch customers were initially the focus of the collaboration, Zoom announces that all of its business and educational customers in the EEA will benefit from these changes.
  • User-friendly tools for data requests: with the introduction of a new portal in 2023, administrators can now request access to personal data using a self-service tool. By the end of 2024, end users will also be able to directly submit a data access request (DSAR) themselves. The response to a access request will be presented in a clearer format, think of a description of each file and in an understandable order for the user. With this self-service tool, Zoom not only increases users' control over their data, but also promotes transparency and accountability.
  • Greater clarity on data retention and processing: transparency is improved by providing insight into data retention periods. Zoom enables users to better understand how their data is managed and protected by streamlining this information.
  • Specification of the role of Zoom and its sub-processors: by defining processing activities in the DPA, Zoom has clarified its role as a data processor or data controller. Zoom requires its sub-processors, and its sub-processors, to comply with contractual obligations in accordance with the Data Processing Agreement (DPA), including Standard Contractual Clauses (SCCs) for onward and international transfers.

In addition, there are a number of updates in other areas, including:

  • Increased transparency about diagnostic data: Zoom provides more transparency on how diagnostic data is processed, ensuring that no more telemetry data is collected than necessary. These privacy considerations were built into the product development process from the beginning. This is in line with the principle of privacy by design.
  • EU support services: Zoom has established a dedicated support team within Europe so that customers can receive technical support directly. All information from support calls made during business hours are processed in the EEA by local staff.

CSAM

Measures have also been taken regarding material surrounding child sexual abuse (CSAM). Measures have been implemented for reporting CSAM material to the National Center for Missing & Exploited Children (NCMEC) in the US. To enable secure transmission, only exact matches, after human review, are reported.

Commercial communications

To further improve ePrivacy compliance, Zoom has refined privacy settings for sending commercial communications. Administrators and end users will no longer receive commercial communications, only the commercial contact will receive these communications.

Collaboration with SURF

By setting a high standard for privacy with the use of privacy by design and privacy by default principles, Zoom demonstrates its commitment and thereby strengthens trust. Through ongoing collaboration with SURF, Zoom continues to prioritize privacy and security and ensures that users can continue to safely use the video platform.

Zoom's ongoing commitment to privacy

Zoom is demonstrating a proactive approach to adhering to the privacy principles and standards embedded in the GDPR.

“We are proud of the changes our partnership with Zoom has produced,” said Jet de Ranitz, CEO and chair of SURF's board of directors. “With this result that puts privacy first, Zoom is taking a big step that benefits the entire EEA.”

Zoom's commitment to European standards and practices has not gone unnoticed. In 2023, Zoom received several certifications and attestations from regulators and independent organizations. These are all documented in the Trust Center. Here you will find, among others, BSI C5 and gpaNRW in Germany and the ENS in Spain. In addition, Zoom, together with other vendors, helped to draft the new German DIN SPEC 27008, which contains the minimum security requirements of video communication solutions.

Transparency and reliability

“Transparency is important, especially in the modern technology landscape,” says Lynn Haaland. “These initiatives are designed to provide users with insights and options so they can decide where their data goes and how it is used. As a result, users get the transparency they need to build a trusted relationship with Zoom as a technology provider.''

While Zoom has now achieved a milestone for its customers in the EEA, they are committed to building on customer trust and are constantly working to improve the platform. Important work has been done on the transfer of personal data to third countries, improving transparency for diagnostic data and simplifying requests from data subjects. As part of its agreements with SURF, Zoom will release a Diagnostic Data Viewer for telemetry data for educational and business customers in the first half of 2024. In the second half of 2024, they will develop a solution for direct data access and privacy tools.

More information

For more information on the changes implemented and other recommendations, you can view the DPIA here. If you want to find more privacy information at Zoom, visit their Trust Center.

Related posts