New DPIA for SURF and Dutch government on Zoom: all high risks solved
Commissioned by SURF (the ICT purchasing organisation for universities in the Netherlands), and the Dutch government, Privacy Company investigated the data protection risks resulting from the use of Zoom. The outcome of this Data Processing Impact Assessment (DPIA) is that the US American videoconferencing company has solved all known high risks. There are still six low risks, but the universities and government organisations can mitigate these risks themselves.
Zoom was willing to make far-reaching changes and has concluded a comprehensive new data processing agreement with SURF. Because Zoom makes it possible to encrypt conversations, chats and meetings with a private key (end-to-end encryption, E2EE), there are no high risks associated with the transfer of the encrypted Content Data to the United States. The transfer risks are described separately in a Data Transfer Impact Assessment (DTIA).
With the permission of SURF and SLM Rijk (the strategic vendor management of the Dutch government for Microsoft, Google, and AWS), we are publishing this blog about our findings. If you have any questions about the DPIA, please contact SURF's communications department at communicatie@surf.nl.
Zoom
Zoom enables people to meet in videoconferences and share information one-to-one or in large groups via chat, with people inside and outside their organisation. To make use of the online services, users can install software on their own devices or log in via a browser. This DPIA examined Zoom's data traffic from installed applications on the operating systems MacOS, Windows, iOS and Android, and via a Chrome browser.
Risks of transfer to the United States
The new DPIA is mainly about the risks of collecting and processing so-called Diagnostic Data, i.e. data about the individual use of the services. For example: how often you call and meet with whom via Zoom, from which location, and whether your camera is on or off.
Like other cloud providers, Zoom collects Diagnostic Data in several technical ways, via system-generated logs of events on its cloud servers and via the so-called telemetry client built into the software on the end-user's device. That client is programmed to systematically collect telemetry data on the end user's device and regularly send it to Zoom's servers in the US. This also occurs when using Zoom via the browser. The Diagnostic Data are different from, and technically distinguishable from, the functional data that Zoom must (temporarily) process to enable users to use Zoom's Internet services.
This report is not limited to Diagnostic Data, but also deals with the transfer risks of Content Data, in image, sound and text.
New privacy conditions universities and Dutch government
Privacy Company conducted a DPIA on behalf of SLM Rijk in 2020-2021 on Zoom. In May 2021, nine high and three low data protection risks for data subjects were found. SURF then took the lead in this investigation, and from the summer of 2021, together with Privacy Company, engaged in extensive discussions with Zoom. This led to Zoom taking and committing to a large number of mitigating measures. The agreements were laid down in a new contract, a new comprehensive data processing agreement and a signed action plan with timelines for the agreed measures. Zoom has also implemented almost all of the improvements in its new general data processing agreement for all European customers with an Enterprise or Education licence. The most important measures that Zoom has taken are:
- Zoom factually and formally acts as a data processor for all personal data. Not only for Content Data, but also for the Account Data, Diagnostic Data, Support and Website Data (during and after login). The data processing agreement contains a limitative list of clear purposes for which Zoom may process the data. The agreement rules out that Zoom may ever process the data for marketing, profiling, research, analytics or targeted advertising. Zoom may 'further' process some of its customers' personal data for a second limitative list of specific purposes if the processing is strictly necessary, for example to send invoices, respond to abuse complaints or predict network capacity requirements.
- The agreed privacy conditions apply in full to guest users taking part in a meeting organised by a university: even if these participants are using a consumer account, Zoom is not allowed to process these data for its own commercial purposes.
- Zoom has undertaken to process all personal data exclusively in European data centres by the end of this year. Already before that, by mid-2022, Zoom will ensure that questions and complaints from European customers are always handled by a European helpdesk, unless the customer himself indicates with a support ticket that he agrees to get help from a subprocessor outside the EU, for example outside office hours. However, there remains a risk that US authorities order Zoom to provide access to the data it processes in Europe, without informing the customer. Zoom has cooperated intensively in drawing up a comprehensive risk analysis of the transfer of personal data, a Data Transfer Impact Assessment (DTIA). This DTIA shows that the probability of occurrence of this risk is extremely low, namely less than once every 2 years.
- Zoom has published a lot of information on the types of personal data it processes, including detailed information on the telemetry data it collects.
- Zoom has explained the necessity for its retention periods, and significantly shortened many of them.
- Zoom has concluded new European standard contractual clauses (SCCs) with its subprocessors, so that these parties also comply with the agreements in the new data processing agreement.
- The data processing agreement contains a number of firm commitments on the application of privacy by design and data protection by default. For example, Zoom may never ask end-users' consent for new services and new types of processing. This is done centrally via the system administrator.
- Zoom will develop access portals and a self-service centre for direct marketing so that end-users, system administrators and Zoom's commercial contacts (such as vendor managers) can themselves request access to the personal data processed about them and provide consent for targeted mailings.
Six low privacy risks
The result of this DPIA is that there are no known high risks for the processing of personal data by Zoom. There are six low privacy risks, but the universities and institutions can largely mitigate these risks themselves. The risk assessment assumes that Zoom will comply with its contractual commitments and continue to consult with SURF. This is especially important when, at the end of 2022, the data protection supervisory authorities will publish the results of their joint investigation into the use of cloud services by public sector organisations (both government and education). The six low-level risks and countermeasures are:
1. Access to Content Data by US authorities
- Enable end-to-end encryption for all calls, meetings and chats. Warn users that E2EE is technically not possible when using Zoom via the browser, and that the browser should therefore only be used for non-confidential sessions such as attending a class.
- Choose to process the data in the EU if E2EE is not possible, make local recordings instead of cloud recordings.
- Complete the sample DTIA for your own organisation.
- Choose the European helpdesk as soon as Zoom opens it.
- Use privacy-friendly settings.
- Use the Webinar function only for public meetings/lectures (no E2EE possible).
- Establish policies to prohibit the use of directly identifiable or confidential data in 'room' and topic names. Do not use labels for groups of users.
2. Transfer of Diagnostic, Support and Website Data to the USA (until the end of 2022)
- Consider using Single Sign On (SSO) with pseudonymous names for employees whose identity must remain confidential. Explain to employees/students that, legally speaking, there is (still) something wrong when they register themselves for a new Zoom account. According to the sign-up screen, the Zoom consumer Terms and the Zoom consumer Privacy Statement apply, while this is incorrect. Zoom will remedy this by the end of 2022 at the latest.
- Use a Vanity URL (such as universiteitX.zoom.us) to prevent IP addresses being transferred to Zoom when users log in.
- Do not use the American mail provider Twilio which Zoom has built in by default to send invitations for Webinars. Use your own European mail provider.
3. Transfer of pseudonymised data to the Trust & Safety Team in the USA
- Follow SURF's and thefuture EDPB's explanation of whether this risk can indeed be assessed as low,as explained in the DTIA.
4. Lack of transparency about the Account and Diagnostic Data
- Read the newly available, and future, documentation from Zoom and inform end users about the privacy safeguards in the new data processing agreement.
- As soon as Zoom enables it, display your own privacy policy and terms in Zoom's login screen (by the end of 2022).
5. Difficulties exercising data subjects access rights
- Use the new access portals that Zoom is developing, both to be able to respond to individual access requests from students and employees, and for administrators, to compare public documentation with the result of an access request.
6. Employee surveillance system
- Create a policy to prevent the audit logs and reports from being used as employee surveillance system.
- Regularly inspect the log files on the behaviour of system administrators to verify compliance with internal privacy policies.
Conclusions
If Zoom and the Dutch universities and government organisations apply all agreed and recommended measures, there are no known high risks for the individual users of Zoom's videoconferencing services.
Caveat
It is uncertain how the national data protection authorities will assess the transfer risks in their joint investigation of the use of cloud services by public sector organisations. The results are expected by the end of 2022. For this DPIA, the transmission risks have been rigorously assessed, including a separate DTIA. If necessary, this DPIA and DTIA will be updated in 2023.
If the EDPB were to assess the risk of onward transfers as high anyway, even after all data are in principle processed by Zoom in European data centres, organisations in the Netherlands would no longer be able to use services of American providers, and the consequences would be much greater than just the use of these Zoom services.