Meetings are necessary – even in times of coronavirus and working from home. Most businesses now have to rely on video conferencing software to continue face-to-face communication with customers, business partners and colleagues. The popular Zoom app has come under fire for its data protection practices, prompting many to ask what they need to look out for when choosing and using these tools for their businesses.
Most such conferencing tools are designed as SaaS (Software as a Service), where the supplier provides not only the software but also the infrastructure and other necessary services. Platform providers process personal data on behalf of businesses using their software, making them the ‘processor’ under the terms of Art. 4 No. 8, 28 of the General Data Protection Regulation or GDPR. This means a processing agreement has to be concluded with them.
But even if the software comes from the processor, the business using the tool remains responsible for data protection (Art. 4 No. 7 GDPR). Furthermore, according to Art. 28 Par. 1 GDPR, businesses are obliged to work only with processors who comply with the data protection regulations of GDPR. A company’s data controller also has to be able to give account of the processors used. The foundations of data protection, therefore, are laid when choosing a provider.
What do you actually have to look out for when choosing a video conferencing provider?
Zoom, Microsoft Teams, Google Hangouts, Skype for Business, WebEx-Meetings and many more – there are many ways of communicating from one home office to another. The tool a business actually chooses should depend very much on whether its provider has taken sufficient technical and organisational steps to protect personal data. Requirements may be evaluated very differently. Firms in the health industry will have higher security requirements than businesses in other areas.
Handling data in compliance with fundamental data protection principles
The key to choosing a provider is that they handle data in compliance with the fundamental principles of GDPR, and especially that they deal with it in a transparent and legal way (Art. 5 Par. 1 lit. a) GDPR). You need accurate information about how they process data and employ third parties. US-based company Zoom came under the scrutiny of New York’s Attorney General, because it was passing on data to social network Facebook while failing to tell users properly in its data protection statements. Zoom has since announced that it will no longer be giving data to Facebook, and it has since revised its data protection declaration.
The following points are especially important when selecting a provider, and may need to be adapted by the business from a tool’s factory settings.
Meta data and content should not be evaluated or passed on
The commercial processing, evaluation and passing-on of meta data and content must be contractually excluded.
Potential staff profiling
You need to be sure that video conferencing tools do not analyse the performance or undertake ‘worktime tracking’ of your own employees, or that such options that do exist can be deactivated. But because the tool can potentially be used to monitor working procedures in this way, its use requires the approval of employee representatives according to § 87 Par. 1 No. 1 and 6 BetrVG (German industrial relations law), regardless of whether the employer actually uses the tool for monitoring. In this regard it should also be noted that a business must perform an assessment of the consequences of data protection as described in Art. 35 GDPR, this being a kind of risk evaluation under data protection law, if video recording leads to any kind of profiling of participants (other processing activities for which this kind of assessment of consequences is mandatory are given in the lists published by data protection authorities, although they rarely occur in conjunction with video conferencing tools).
Limiting log files / chats / data exchange, etc.
Conversations, chats and log files should be deleted by the system at the end of a conference.
There should be an option to blur backgrounds during video transmission to protect the privacy of users (and their family members), especially when working from home.
Participants should not be given access to the video conference until they log in or enter an access PIN or are approved by the organiser.
Technical precautions should be taken to ensure that data is handled as sparingly as possible. It must be made easy for users – even ones who are not very technically savvy – to decide largely for themselves how much of their data is passed on to providers (privacy by default / privacy by design).
Data security is also important. Transport layer and end-to-end encryption are preferable when transferring data. The provider should themselves possess internationally recognised certificates (ISO, C5) that indicate high security standards.
Special case: recording conferences
Many tools offer a function for recording video and sound. Permission must be obtained from every participant, both for reasons of data protection law, and under criminal law – regarding concealed recording (§ 201 StGB; German Criminal Code). It should be possible to use lists of participants to obtain a prior, express declaration of consent from participants in the run up to scheduled conferences such as training courses; but this may be impractical in the case of spontaneous conferences.
The default setting in most tools is that the user has to actively switch on their camera and microphone when they begin to participate. It would be a good idea to enforce a similar procedure when beginning to record: the tool could be set up technically so that the camera and microphone automatically deactivate as soon as a participant begins to record. A window could also open indicating that recording has begun. This could be used to comply with transparency requirements by providing data protection information pursuant to Art. 12, 13 GDPR. If the participant then actively switches their camera and microphone back on and accepts the statements about recording, this can be considered consent to be recorded.
Communicating with your own employees
As well as considering the default settings offered by each provider, you also need to sensitise your own employees to the handling of data. You should clearly communicate which documents and content may be shared in video conferences using features like ‘desktop sharing’. Furthermore, internal corporate guidelines should make it clear that participation in video conferences is optional for all employees, and that they may at any time participate by telephone instead.
It seems that from the point of view of data protection law, there is no perfect tool for video conferencing as yet. But few companies will be able to do without video conferences. If telephone and email conferences are not enough, you can satisfy data protection law to a large extent by following the points we have made about choosing a provider. You also need to sensitise your employees and other participants accordingly, in order to comply sufficiently with data protection law during the coronavirus crisis.