In the wake of Microsoft’s report card from the Dutch Ministry of Justice and Security, rival messaging platform Zoom gets a nod via a new Data Protection Impact Assessment (DPIA) .
The evaluation was carried out by the Privacy Company and commissioned by SURF (the purchasing body of Dutch universities).
The first evaluation started in 2020 and by May 2021 [PDF] concluded that there were nine high and three low data protection risks for users of the video conferencing platform.
These risks included concerns about where personal data was actually processed and the retention of customer data.
The last DPIA, however, gave the green light to the American videoconferencing giant, but with some reservations. Risks remain, but according to the Privacy Company “universities and government organizations can mitigate these risks themselves.”
Zoom’s end-to-end encryption on all chats and meetings got a boost, as did Zoom’s commitment to process all personal data (such as account, diagnosis, and support) exclusively in European data centers by the end of the year. A European helpdesk (due online in mid-2022) has also been approved by researchers.
However, if there “remains a risk that US authorities will order Zoom to provide access to the data it processes in Europe, without informing the customer”, the probability of such a risk was considered to be low – occurring less than once every two years.
Zoom itself was happy with the assessment, and said the DPIA “reflects Zoom’s respect for European data protection policies and principles.” The events of the past two years have certainly demonstrated the need for virtual meetings and remote working. Zoom is unlikely to want to pass up the revenue potential and has therefore tweaked things, leaving only those exceptional low privacy risks.
These risks include access to content data by US authorities, which is mitigated by means such as end-to-end encryption, “privacy-friendly settings” and the establishment of policies prohibiting the use of identifying data in room or subject names. The transfer of diagnostic and support data is also a concern, but mitigated by the use of pseudonyms and a European email provider.
Rival in the chat space, Microsoft, had its own meeting with Dutch authorities in the February DPIA in which a number of high risks were noted with mitigations, including enabling end-to-end encryption and not trading anything sensitive on the platform in situations where E2EE was not an option. Risks were also noted for users of Google’s productivity suite and it was clarified what the tech giants must do to dodge the wrath of regulators.
In Zoom’s case, new privacy features, a European help desk, and a little more transparency seem to have done the trick (although some things, such as processing almost all personal data in the EU , might not happen until the end of 2022.) For its part, Microsoft has also pledged that EU data will not leave the EU with its EU data limit.
The latest DPIA also suggested some low-risk mitigations, such as enabling end-to-end encryption for all calls, meetings, and chats and warning users “that E2EE is technically not possible when using of Zoom through the browser, and therefore the browser should only be used for non-confidential sessions such as attending a class.”
He also suggested institutions do local registrations instead of cloud registrations, consider using single sign-on with pseudonymous names, use a custom URL” (such as universiteitX.zoom.us) to prevent IP addresses from being forwarded to Zoom when users log in”, and “do not use the US email provider Twilio, which Zoom has integrated by default for sending invitations to webinars. Use your own European email provider .”
The Privacy Company report concludes: “If Zoom and Dutch universities and government organizations apply all agreed and recommended measures, there are no known elevated risks to individual users of Zoom’s video conferencing services.”
An update of the DPIA and DTIA is expected in 2023. ®