This is a great result from an exceptional public-private partnership project, in which SURF and Zoom overcame a number of hurdles by working together.
Glory Francke is a European and American privacy attorney at Zoom, and leads the collaboration with SURF: "During this project, we had a number of intensive work sessions, online of course. Because of the large time difference between the Netherlands and Seattle, we often had meetings over a meal. But while Zoom employees ate breakfast, it was dinner time for SURF employees. That shows the willingness to achieve a good result together. We all went the extra mile in this exceptional collaborative project."
This project by SURF and Zoom can certainly be called exceptional. It is already exceptional that a European and an American party work together so closely in the field of privacy. But it is also a public-private partnership. How did it come about and what was the result?
Video conferencing hits a new level of popularity
It all started in March 2020 with the beginning of the COVID-19 pandemic when the demand for video conferencing services exploded. In the Dutch education sector, the use of Zoom increased rapidly. This led to questions about whether Zoom sufficiently protected the data of European users.
Initially, SURF and Zoom came to a temporary agreement. Then, in October 2020, the Dutch government and SURF initiated a DPIA. The DPIA was conducted in collaboration with Privacy Company, a privacy and data protection consultancy agency.
What is a DPIA?
DPIA is short for Data Protection Impact Assessment. It is an instrument to identify privacy risks of data processing for users (e.g by applications like Zoom), and then advise on measures to reduce those risks. According to the General Data Protection Regulation (GDPR), a DPIA is legally necessary when there is probably a high risk for users, e.g. in the case of large-scale processing of personal data or sensitive personal data.
Sandy Janssen, SURF project manager: "For this first DPIA, we held a number of discussions with Zoom. In the DPIA, we identified the privacy risks for users that the use of Zoom entails. In May 2021, this led to the advice to SURF members to exercise caution when using Zoom and not to use the service to process sensitive data. There were too many high privacy risks for users and there was insufficient perspective that Zoom would solve the risks identified.”
Glory: "Those discussions were the start of the collaboration between SURF and Zoom. I had just started working at Zoom and was confronted with all kinds of difficult questions from the privacy experts at Privacy Company about our data processing. As a privacy attorney, I immediately saw all these questions as something positive: if the Dutch government carries out a DPIA, you know that they are interested in your product. But not everyone in our company felt the same way: the DPIA was seen by some as an audit from a regulator."
That feeling didn't improve when the first DPIA had a negative outcome for Zoom. Sandy: "The most important privacy risk lay in the processing of personal data: Zoom operated as a data controller for most data but should have acted as a data processor. As a result, institutions that used Zoom had less control over the users' data. Zoom needed to be more transparent about what data it processed and for what purpose. Other issues included that data was stored in the United States.
"As a privacy attorney, I immediately saw all these questions from Privacy Company as something positive."
The first DPIA was a helpful lesson for Zoom. "It was actually a great gift for us," Glory explains. "This DPIA showed that we were not yet transparent enough. I was able to convince our management that we could put this right by collaborating with SURF. As a company, we have no interest in storing data. We don't depend on advertisements for our income like some other providers in the market. We want to do it right, but we could use some help."
Thus began the project to conduct a new DPIA on Zoom. For this DPIA, SURF had taken over the leading role from the Dutch government. Privacy Company, again, provided the privacy experts who assisted in the investigation. Sandy: "We were very pleased that Glory was able to convince her colleagues to start working with SURF. Zoom no longer saw the DPIA as an audit, but as an opportunity to learn what the GDPR requires, and how you can adapt your product so that it best protects the privacy of European users."
Working sessions in a collegial atmosphere
Starting in November 2021, Zoom and SURF held a number of intensive work sessions in which privacy experts from Privacy Company were also present. In those sessions, the group discussed larger issues, such as role clarity and transparency, but didn’t skip over details such as cookies.
"It was great to see how committed the people at Zoom were to this project," says Sandy. "Once they got management's approval to start working together, it no longer felt like we were sitting opposite each other, but we were rather working together towards a solution — in an almost collegial atmosphere."
That dedication is also reflected in the fact that Zoom freed up a lot of capacity for this project. Glory: "We approached this company-wide. We involved colleagues from various disciplines in this project in order to find good solutions to the issues — lawyers, technical people, and so on. They all took part in the working sessions. For the implementation of the solutions, we freed up capacity and redesigned business operations processes."
"It was great to see how committed the people at Zoom were to this project."
Learning to apply the GDPR
The GDPR is new, and it is a European law. As a result, Zoom still faced implementation challenges. Glory: "The GDPR is a principle-based law. One of the principles, for example, is that you must apply privacy-by-design when developing your products. That makes the law flexible, but it does pose the question of how we should apply those principles to our products. SURF has helped us enormously in applying the GDPR, and thus in making our products more compatible with what our customers want."
By cooperating with SURF, Zoom has resolved a large number of issues. Zoom has become more transparent about how it processes data, resulting in a processing agreement. In addition, Zoom is now a processor for most of its users’ personal data, and has made it clearer when it is a data controller versus a data processor. Zoom has also promised to process almost all European users’ personal data in Europe by the end of 2022 and offer a support centre in Europe given data is also processed when providing customer support. Meanwhile Zoom has also made progress in securing conversations e.g. by implementing optional end-to-end encryption for Zoom Meetings, which was released in October 2020.
Second DPIA: no high risks for users anymore
All this led to the publication of the second DPIA on Zoom in March 2022. SURF believes that Zoom has made sufficient changes to the privacy arrangements for all Education and Enterprise users in Europe, as well as to highly confidential communication and sensitive personal data.
Sandy: "Institutions can now conclude the standard processing agreement with Zoom that we drew up in this project. Institutions can also use the DPIA for their own assessment of the privacy risks to users. They can do so by, as a follow-up to SURF's work, determining for themselves whether Zoom has sufficiently mitigated the risks. After all, institutions remain responsible for the privacy of their staff and students. SURF is helping by maintaining contact with the supplier and providing information to institutions, which includes the DPIA and the supporting documentation."
Glory: "We've come this far thanks to the fruitful collaboration with SURF. I would therefore warmly recommend to other service providers who are faced with a DPIA: don't see the party performing the DPIA as the enemy, just collaborate! Consider it a learning process. At the beginning of the twentieth century, the automobile was on the rise, but there were no seat belts or airbags; those came later. That's how I see working on a DPIA — through projects like this, we are making our services safer and more reliable."
"By working well together, you can reach a satisfactory solution for all parties."
Everyone is satisfied
Sandy also looks back on the DPIA project with Zoom very positively. "Here in Europe, we sometimes wonder if we should stop using American services altogether. After all, cooperation in the area of privacy protection is often difficult. This project shows that it is possible — by working well together, you can reach a satisfactory solution for all parties. An additional advantage of this approach is that a great deal of preparatory work has already been done this way: institutions can use the DPIA to assess the risks to their own users. This is much more efficient than each institution having to conduct a full DPIA. And Zoom is happy because the use of their video conferencing service no longer involves high risks for users."
How to proceed?
This second DPIA does not mean the end of the collaboration between Zoom and SURF. Glory: "Zoom is still implementing a number of solutions; my colleagues are working hard to get them ready. We will regularly check with SURF on whether new product features comply with the agreements made in the DPIA." SURF and Zoom will continue to meet with each other because compliance is not a one-off issue. Processes, products, legislation, and regulations can change, making new agreements necessary.
words: Jan Michielsen