GDPR and using video conferencing services

Whilst I have mentioned Coronavirus in this article, the advice within applies to all scenarios of where you may be using video conferencing services, not just during the Covid-19 pandemic

With the Coronavirus pandemic changing the way businesses operate, we’re all looking to doing more and more business online and that includes the way we hold meetings and communicate, with video conferencing being the go-to way to maintain contact, hold meetings with clients, networking and maintaining human contact.

But, have you considered the GDPR and privacy implications of using such services?

Video conferencing services such as Zoom, GoToMeeting, etc. are no different than any other online service provider – if they’re processing any personal data from your use of the service, they will be your data processor and in GDPR terms that means you need to be sure they are GDPR compliant and that you apply the GDPR Article 28 requirements to ensure there is a contract in place with regard to the processing of that personal data. And, yes, that includes when you have a team meeting or invite people to an online discussion via the service (because of the wide definition of processing in GDPR).

Minor note: if you’re reading this, but are not using an online video conferencing provider because you run your own internally hosted service, then you probably will only need to worry about the “controller” aspects, rather than the processor ones too

What are the GDPR implications of video conferencing services like Zoom?

There are a couple to things to consider:

• You, as the host (i.e. the organiser of the online conference) will be the data controller. This means that you will need to consider the implications of what you need to do when it comes to being a controller (right to be informed, what you’ll do with the data, the fact that any data you process via the system is covered by GDPR, etc.) as you will be processing personal data
• As the video conferencing provider is online/cloud-based they will be your data processor. The GDPR requires you to ensure any processors you use are GDPR compliant and that there is a controller-processor contract (sometimes call a data processing agreement or DPA) in place. You will also need to be clear and understand what the provider does with data that it may collect from your (and your attendees) use of the system

What does this mean in practice?

As a controller:

• Decide how you plan on using any information, recordings, attendee lists, etc. you will be processing from the session and consider the GDPR implications and lawful basis for processing. You will need to provide (via your privacy policy) information about this to attendees (and sign-post that information appropriately). Don’t forget the right to be informed, individuals’ rights, etc. all apply to both any registration data you collect, information recorded during the session, how you’ll use the data, etc. To identify these considerations and risks from the processing, I would suggest you carry out a Data Protection Impact Assessment (DPIA) as this will also demonstrate you’ve considered carefully what data you will be processing and any inherent risks from that processing (and don’t forget about any features available to you that the attendee may not know you have access to, such as Zoom’s ability to tell you whether someone is paying attention or not)
• If you plan on recording the session, you should make it clear to the attendees that this will be happening and what you plan on doing with the recordings and/or transcripts (e.g. sharing with all attendees) and spell out the implications for the attendees (e.g. if they turn on their camera their image will be available to everyone in attendance, depending on how they set up their account, their name, email, etc. may be available to other attendees, what they say will be recorded, etc.). Also be clear that if they screen share or discussion confidential (or special category) information, this too may be retained as part of the recording, so they should be mindful of their own privacy requirements – you may need to seek consent for such special category data processing or stop the recording!
• Carry out due diligence on the service provider to ensure you are happy they are GDPR compliant – you should already have a process for this as this is no different than any other online service that processes personal data for you (e.g. your CRM, email list provider, etc.). You should pay particular attention to what the service provider says they will do with recordings and data they collect on your behalf – you should find this in their privacy policy and/or in any GDPR statements they provide about how they are ensuring GDPR compliance. And remember, there’s a good chance (e.g. with Zoom) that they will processing this data outside the EU, so what protections have they put in place to ensure the security of this data and compliance with EU standards?
• Make sure you sign a data processing agreement (whether separate or part of terms of service) that meets the contractual requirements set out in Article 28

Using Zoom as a case study

Zoom seems to be getting a lot of attention at the moment as the go-to platform for holding video conferencing calls, meetings and I’ve attended some great online networking via Zoom too. However, other video conferencing services are available and the same issues are likely to arise with them – you will need to check their terms and conditions of service and privacy notices.

That said, I’m using Zoom here, as a case study, not least of all because of various privacy concerns that have been raised recently (since Zoom’s popularity has risen):

• Forbes “Zoom’s A Lifeline During COVID-19: This Is Why It’s Also A Privacy Risk”
• BBC “Coronavirus: Zoom is in everyone’s living room – how safe is it?“
• CNET “Now that everyone’s using Zoom, here are some privacy risks you need to watch out for”
• Vice “Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account” (Zoom say they’re changing this in the next update, so it might be in your interest to comment that attendees are using the latest software)

But there’s also some useful advice out there too:

• Wordfence “Safety and security while video conferencing with Zoom“

You can use some of this information for your DPIA risk assessment if you wish. So, considering using Zoom:

1. Decide what you’re going to use Zoom for and what data you are likely to collect, keep, process from the use of Zoom for your calls. As I say above, consider carrying out a DPIA. Consider the fact that you will have registrants data, data you may collect when people access the Zoom call as well as the recording itself, plus any other functionality that Zoom may provide that you can use a “host” of the call (noting the privacy concerns in the above articles)
2. Document your due diligence on Zoom. This means, look at their GDPR statement and review and sign their DPA
3. Update your privacy policy to include a Zoom section which explains:
   • What information you collect from hosting a Zoom call and what you’ll do with that data
   • Reference Zoom’s own privacy policy in terms of how they use personal data when you host your call
   • Highlight how your attendees/users of Zoom can adjust their cookie settings which will limit Zoom’s own advertising and functionality cookie settings. Basically, first time Zoom users will see a popup for cookie settings when they first visit the Zoom link, they should click on “Cookie Settings” and adjust cookie settings accordingly (probably to “Required Cookies” only); existing Zoom users can change their cookie settings by clicking on the “Cookie Preferences” link from the Zoom website (at the bottom in the footer) and can also view the Zoom cookie policy
   • Add a section about what happens when sessions are recorded, spelling out that others on the call will be able to see them, their name and hear them. They may also be able to see the attendees surroundings which may include other people in the background or information, unless they use a virtual background
4. Make sure a link to your privacy policy is made available whenever you register people or ask them to register (e.g. on your website, or signup form) – if possible, link through to the specific section in the privacy policy about Zoom
5. When you run a Zoom session, tell attendees that you will be recording the session and what will happen with that recording (e.g. if it will be shared with all attendees, stored on a video sharing platform (e.g. YouTube, etc.), if you have a transcript of everything take), sign-posting where to find your privacy policy and if necessary make it clear that by joining the session everyone will be able to see them, what they display and share via the Zoom session (although that should be obvious from the point the attendees access the Zoom session), along with details of any other features you might be using

In conclusion

From a privacy perspective, as the above media articles intimate, you should consider privacy risks with video conferencing platforms. A lot of these articles (and the underlying report that led to the Forbes article, for example) are slightly scaremongering and rely on users ignoring privacy policies and cookie settings. Provided you can demonstrate you have assessed Zoom’s compliance, are happy about the platforms compliance in line with GDPR processor requirements and are open and clear with your attendees, you should be fine.

Mark Gracey

Providing cost-effective, simple to understand and practical GDPR and ePrivacy advice and guidance, via my one-stop-shop helpline. I ❤️ GDPR

markgraceygdpr.co.uk