Zoom

18 April 2024 - We are proud to announce that Zoom has reached the next milestone for corporate and educational customers in the Netherlands and across the EEA. Years of close cooperation with SURF have resulted in Zoom tightening and updating its privacy policy and implementing important privacy and security measures. In doing so, Zoom is fulfilling the obligations agreed in the published DPIA of 2022.

As a result of the updated DPIA, conducted by Privacy Company on behalf of SURF, Zoom has made significant progress in adapting to EU privacy standards. In doing so, Zoom has adopted a proactive approach, namely that of privacy by design and privacy by default. Some of the measures taken include:

• The amount of personal data processed exclusively in the EU has been greatly increased: although Dutch customers were initially the focus of the cooperation, Zoom announces that all its business and educational customers in the EEA will benefit from these changes.
• User-friendly tools for data requests: with the introduction of a new portal in 2023, administrators can now request access to personal data using a self-service tool. By the end of 2024, end-users will also be able to submit a direct access request (DSAR) themselves. The response to a access request will be in a clearer format, think a description of each file and in an understandable order for the user. With this self-service tool, Zoom not only increases users' control over their data, but also promotes transparency and accountability.
• Greater clarity on data retention and processing: transparency is improved by providing insight into data retention periods. Zoom enables users to better understand how their data is managed and protected by streamlining this information.
• Specification of the role of Zoom and its sub-processors: by defining processing activities in the DPA, Zoom has clarified its role as a data processor or data controller. Zoom requires its sub-processors, and its sub-processors, to comply with contractual obligations in accordance with the Data Processing Agreement (DPA), including Standard Contractual Clauses (SCCs) for onward and international transfers.

In addition, there are a number of updates in other areas, including:

• Increased transparency on diagnostic data: Zoom provides more transparency on how diagnostic data is processed, ensuring that no more telemetry data is collected than necessary. These privacy considerations have been built into the product development process from the outset. This is in line with the principle of privacy by design.
• EU support services: Zoom has set up a dedicated support team within Europe so that customers can get technical support directly. All information from support calls made during business hours are processed in the EEA by local staff.

CSAM
Measures have also been taken regarding material around child sexual abuse (CSAM). Measures have been implemented for reporting CSAM material to the National Center for Missing & Exploited Children (NCMEC) in the US. To enable secure transmission, only exact matches, after human assessment, are reported.

Commercial communication
To further improve ePrivacy compliance, Zoom has refined privacy settings for sending commercial communications. Administrators and end users will no longer receive commercial communications, only the commercial contact will receive these communications.

Cooperation with SURF
By setting a high standard for privacy with the use of privacy by design and privacy by default principles, Zoom demonstrates its commitment and thereby strengthens trust. Through continuous cooperation with SURF, Zoom continues to prioritise privacy and security and ensures that users can continue to safely use the video platform.

Documents

• Zoom DPIA update, April 2024
• Zoom DPIA 2024 - Updated recommended settings for admins
• Zoom DPIA 2024 - Updated recommended settings for end users and hosts

21 August 2023 - Zoom updated its global consumer terms and conditions (for free services) in March this year. Those amended terms state that Zoom has the right -in the future- to analyse customer data with AI. These changes have no negative impact on Zoom's European paying customers and, in particular, Dutch educational institutions using the processor agreement negotiated by SURF.

Other general terms and conditions for education

Paying customers and educational institutions sign different general terms and conditions. SURF has worked intensively with Zoom over the past two years to negotiate very competitive privacy terms for the Dutch education sector. As part of this process, Zoom has tightened its European privacy policy for all business and education customers. This tightened policy describes that Zoom acts as a processor, and is therefore only allowed to process personal data for the purposes set out in the agreement.

The processor agreement takes precedence over all other legal documents

In a nutshell, this agreement prohibits Zoom from processing customers' personal data for commercial purposes such as profiling, marketing or big data analytics. Regardless of whether it is the content of calls, or data on the use of the software and participation in video conferences. The processor agreement takes precedence over any text in other legal documents and also protects the data of participants with a free account during Zoom sessions with participants with paid (educational) licences. If a paid licence participates, users with a free account are also covered by the terms of the concluded education processor agreement. Thus, the change in global terms has no negative impact on Dutch (and European) education.

Zoom has stated in response to the outcry that it has never processed data of free or paying customers with AI and that it regrets that confusion has arisen in this regard. In this statement , Zoom specifically explains the situation for SURF.

SURF remains in constant dialogue with Zoom

Zoom and SURF have regular discussions about the processing of personal data and possible ways to deploy AI in a privacy-friendly manner. The main point is always that the educational institutions themselves should be able to decide whether they want to use that kind of service.

6 June 2023 - Ensuring privacy is key to users' trust in technology companies. You want to use digital technologies knowing that your personal data is safe. Zoom's privacy, product and technical teams have therefore focused on developing user-friendly and scalable solutions that allow users to set their own data and privacy preferences. From today, you will have access to a range of tools and features that will give you greater insight and control over your own data.

What do the changes entail?

• Data storage within the EEA: paying customers within the European Economic Area (EEA) can now choose to store their data for meetings, webinars and Team Chats physically within the EEA. This data will be shared with Zoom teams in the US, such as the Zoom Trust & Safety team, only on an individual basis and exceptionally.
• European support team: Zoom has established a support team within Europe. Users can now get technical support during business hours from support staff in the EU if they have signed up for it. All information is then processed within the EEA.
• Access and deletion requests: Zoom has developed a tool that allows administrators to easily fulfil its users' access and or deletion requests. This applies to Zoom meetings, webinars and team chat. This tool is an aid to GDPR compliance.
• Marketing preference centre: users can opt-in or opt-out of all Zoom marketing communications and newsletters with a single click.
• Audit log tracking: audit logs record the specific actions administrators perform on behalf of users. Account owners and administrators now have the ability to track when these logs are exported or deleted.
• Retention policies: users will have greater insight into Zoom's data retention and deletion policies, and the actions Zoom takes to ensure compliance.

"We are proud to offer these privacy updates to our customers," said Lynn Haaland, chief compliance, ethics and privacy officer at Zoom. "These new tools give our European users more control over where their data is processed and stored. In addition, you have the option to delete personal data. Institutions can choose us knowing that they have a supplier committed to protecting their data."

Collaboration is key

Zoom's new privacy features were developed as part of its close relationship with SURF, the collaborative organisation for IT in Dutch education and research. This collaboration began in 2021 following a Data Protection Impact Assessment (DPIA). As a result, Zoom is making great strides in terms of privacy for its users; many of these new features are a direct result of this close collaboration.

"We are pleased with the changes Zoom has made to its software as a result of our collaboration," said Jet de Ranitz, CEO and chair of SURF's board members. "With the new privacy features and recent adjustments, they have shown that European privacy standards are very important to them. We are very happy with the result and the positive benefits for European users."

Where can you find the institutions?

Zoom's new tools for data subject access requests and data deletion are available within the Zoom web portal under 'Privacy'. The marketing preference centre and European technical support can be accessed via the support page. Zoom, in the Zoom Privacy Centre, has started rolling out EEA-level data storage for paying customers within the EEA. Policies around data retention and deletion can be found in the privacy sheet.

More details on Zoom's approach to privacy and security can be found in the Zoom Trust Center.