Zoom is making progress in last mitigation steps from DPIA 2024

In April 2024, SURF published an updated DPIA on Zoom Education. The DPIA concluded that there were no more known high data protection risks. Zoom agreed to implement two extra measures to mitigate low risks by the end of 2024. Zoom agreed on releasing a Diagnostic Data Viewer (‘DDV’) for the Telemetry Data, and to build tools for Education end users for direct access to their personal data. SURF tested the measures and in this post we give you an update about the items that Zoom has implemented or is implementing soon. 

DSAR tool

Zoom has implemented a new DSAR tool, in line with the commitments. Zoom presented a clear overview of how the new features work. 

Telemetry Data

Users can enable a Diagnostic Data Viewer (DDV) in the Zoom app to access the Telemetry Data collected from their device as they are sent to Zoom. Telemetry events register usage of the cloud services, with pseudonymous identifiers. Zoom documents these events at their Zoom Support page. 

Future adjustment: access to historical telemetry data

Following recommendations from SURF, Zoom will also provide access to the historical telemetry data it has stored on its own servers. Zoom will make these data available in response to a Data Subject Access Request (DSAR), independent of the user choice to enable the DDV in the app.

Zoom has committed to implement this measure in February 2026. SURF will test the adequacy of this new feature in February 2026. 

SURF remains enthusiastic about the collaboration with Zoom. If the education organisations apply the recommended measures, SURF is confident that the risk assessment in the DPIA remains up to date, with 6 low data protection risks.