Zoom adapts approach to privacy after intensive, collaborative consultation with SURF

Student achter laptop

Following an intensive, collaborative consultation with SURF, the ICT service provider for Dutch education and research, Zoom has made and will continue to make changes to its privacy agreements for Education and Enterprise customers in European Economic Area (EEA). In addition to these changes and new contractual agreements, SURF advises organisations to implement several recommended measures themselves, and to conclude new data processing agreements with Zoom. As soon as these have been implemented, SURF advises that data subjects can use Zoom for highly confidential communications and will not face what SURF considers high privacy risks.

The adjustments were the result of discussions between SURF and Zoom after an initial Data Protection Impact Assessment (DPIA) was carried out in May 2021. This was commissioned by the Dutch government (SLM Rijk) and SURF. A DPIA is an instrument that identifies privacy risks for data subjects and is considered necessary if there are likely high privacy risk for data subjects, including where there is large-scale processing of personal data or processing of sensitive personal data.

Adjustments 

In collaboration with SURF, Zoom addressed the privacy risks identified in the first DPIA in May 2021 by making changes to its software, entering into a processor agreement and committing to future changes. The new DPIA just published describes these contractual and technical adjustments. For example, end-to-end encryption in both one-to-one and group meetings has been possible since November 2020, and Zoom has committed itself to offer enterprise and education accounts the option to have almost all of their personal data processed in the European Economic Area (EEA) by the end of 2022. Zoom and SURF have made arrangements on this which have been included in an agreement. For personal data transferred outside the EEA, a Data Transfer Impact Assessment (DTIA) has been concluded, showing adequate safeguards for the data transfers. 

    Also read the blog 'Safe cloud use: Zoom and SURF together provide seatbelts and airbags' in which Glory Francke (European and American privacy lawyer at Zoom) and Sandy Janssen (project leader at SURF) talk about the result of a special public-private partnership project. A number of hurdles had to be taken. SURF and Zoom took up the challenge together.

    Most important measures that have emerged from the DPIA

    SURF and Zoom have agreed various measures for the DPIA as part of their collaboration. These include:

    Developing new privacy features

    • Data location solutions: EU Zoom customers have privacy concerns about the processing of personal data in the US and prefer that all personal data be processed in the EU. Zoom has committed, in consultation with SURF, to make this possible by the end of this year. 
    • EU support services: Zoom will establish a separate EU support desk by mid-2022 to support EU accounts during EU business hours. If an EU account requires support outside of those hours or has an escalation that requires support outside of the EU, Zoom will only provide such support if the customer explicitly consents, with each support ticket. 
    • Data Subject Access Requests (DSARs): Zoom will enhance the ability for customers to respond to DSARs with two self-service tools for enterprise and education account administrators. 
    • Communication preference center: Zoom will develop a marketing preferences self-service tool for all account owners by the end of 2022. 

    Improved transparency and documentation  

    • Privacy datasheet: Zoom improved its public documentation on its processing of personal data with the publication of a privacy datasheet that will be regularly updated.  
    • Updated Data Transfer Impact Assessment (DTIA): Zoom has produced a new DTIA based on the format created by the Swiss legal scholar David Rosenthal. The DTIA shows that the privacy risks to individuals using Zoom are negligible. 
    • Clarifying Zoom’s roles & responsibilities: Zoom agreed that it was appropriate to reclassify itself as a data processor for all personal data, except for a limited list of situations in which the education and enterprise customers (the data controllers) authorise it to ‘further’ process some personal data as an independent data controller. This also applies to the personal data Zoom collects through its publicly available website.  

    Enhancing Zoom’s data protection practices

    • Personal data retention: Zoom has clarified and minimized its customer personal data retention practices. 
    • Privacy by design and default: Zoom will implement more robust and aggressive privacy by design and default processes throughout their product development lifecycle.  
    • Employee training: Zoom is deploying new training for its employees to ensure they always consider privacy protections while delivering support to its EU customers.  

    Measuring our progress

    • Together with SURF, Zoom has documented opportunities for improved data protection and a roadmap for achieving these goals. SURF and Zoom will discuss the progress in a bi-monthly schedule. 

    Documentation DPIA

    Below you will find all the documentation concerning the DPIA that is available on Zoom and the manuals to carry out the technical actions.

    Q&A - general

    What is a DPIA?

    A DPIA, Data Protection Impact Assessment, is an instrument to map out privacy risks for data subjects. According to the General Data Protection Regulation (in Dutch, the AVG), a DPIA is necessary when there is large-scale processing of personal data or sensitive personal data.

    Why does SURF conduct DPIAs?

    Through SURF, the members make joint agreements with ICT and content suppliers regarding the supply and purchase of products and services. This way members create economies of scale and an efficient point of contact for suppliers. DPIAs are a part of these efforts. In many cases, suppliers process personal data belonging to SURF members. It is therefore important that these suppliers comply with legislation and regulations. SURF collaborates with the government on this topic. Several DPIAs have already been conducted in collaboration with the government.

    A DPIA helps institutions to assess the factual data protection risks for data subjects. The institutions themselves must decide if these risks are acceptable. The SURF DPIAs can help with the decision making process.

    Who can apply the DPIA?

    Each institution must decide for itself to which extent the results are applicable to its own organisation. The DPIAs can therefore be used by everyone, including organisations outside of the education and research domain, but must always be interpreted in relation to their own situation and environment.

    Why is the DPIA in English?

    The DPIA is in English because the working language within Zoom is English. The results should also be clear to them and not be misinterpreted or translated.

    Q&A - questions about the DPIA on Zoom

    Why has a DPIA on Zoom been conducted?

    Zoom is widely used by the SURF members, especially by universities. The members have asked SURF to establish good conditions of use for this service.

    The DPIA on Zoom commissioned by the central Dutch government in May 2021 concluded that there were 9 high risks resulting from the use of Zoom. Subsequently, SURF has discussed measures to mitigate these risks with Zoom. This led to an agreement for improvements.

    What was the scope of this DPIA?

    This Data Protection Impact Assessment (DPIA) examines the data processing via the paid services offered as Zoom Education and Enterprise, on five platforms: 

    • as installed app on Android and iOS devices 
    • as installed Zoom client for meetings on Windows 10 and MacOS, and: 
    • usage via the Zoom extension for the browser Chrome. 

    Additionally, this DPIA analyses the use of the Microsoft Outlook add-in and the usage of cookies and similar technology on the publicly accessible and restricted access Zoom website. 

    What are the outcomes of the DPIA?
    • Zoom provides end-to-end encryption for all meetings, chats and files exchanged. This is the main risk-mitigating measure mentioned by the EDPB for transfer of personal data to a country outside of the EU, without adequate data protection rules.
    • To also reduce the risks for the metadata, Zoom has agreed to process all data exclusively in the EU from the end of 2022 onwards, by setting up a European Cloud and having support data processed exclusively in Europe. When support outside working hours is required, the user can give explicit consent, per ticket, for processing outside of the EEA.
    • The exception is the limited transfer of pseudonymous personal data to the central Zoom Trust & Safety team in the US. Zoom has promised to implement a secure solution for this: a secure connection to ensure the data stay  in the EU, or the establishment of a European Trust and Safety team. As a result, there will no longer be any structural processing in the US from 2022 onwards, only incidental processing that is permitted.
      Compelled disclosure under the US Cloud Act is still possible, but the likelihood  is slim. This is comparable to current US providers that already provide services to education and government customers from within the EU (such as Microsoft and Google). The various risk assessments show that the chance of occurrence of this risk is negligible.
    • Zoom has stated that, based on historical data, it considers that there is virtually no chance that it will receive a claim to disclose metadata from education or government organizations to the government.
    • Zoom has promised in a remediation plan to have all mitigating measures implemented before the end of this year. SURF and Zoom have recorded in writing that Zoom will report to SURF on the progress in a bi-monthly schedule.
    • Zoom only acts as a processor for all personal data, unless it is authorised via the data processing agreement to ‘further’ process some personal data as an independent controller. Strict purpose limitation agreements have been made with SURF, both for the ‘processor’ purposes and for the ‘responsible’ purposes
    • Zoom has rigorously shortened retention periods and explained the necessity.
    • Zoom has made substantial progress in its transparency about the processing of personal data (particularly for meta-data).
    • Zoom will offer a DSAR tool for admins and users before the end of 2022. In addition, a deletion tool is being developed
    When can educational institutions safely use Zoom?

    We believe that Zoom can be used safely. However, each institution must make this assessment itself and is responsible for it. On the basis of the information in the DPIA, each institution can take an informed decision.

    What do I need to do myself before my institution can use Zoom?

    The DPIA describes measures to mitigate the risks. We have included these measures in a step-by-step plan for implementation, in a cookbook for admins, hosts and users.

    Is it necessary for me to implement all of the technical measures included in the manual?

    Yes, only then do you have Zoom as privacy-friendly as possible for your users and the rights of those involved are best guaranteed.

    Can I share the technical measures manual with my vendor who manages our environment?

    Yes, the manual is meant to configure Zoom in such a way that the risks are mitigated as much as possible. If you have outsourced the management of your Zoom environment, the person who has control over your environment (the admin) will have to apply the settings.

    Are the negotiations now finished or are you going to have further discussions with Zoom?

    In addition to the measures it has already taken, Zoom has made promises to take further measures. By the end of 2022, all measures will have been implemented. We are therefore continuing our dialogue with Zoom to ensure progress.

    What were the main issues encountered before, when using Zoom?
    • Zoom did not perceive themselves as a processor for the data of the education and enterprise institutions.
    • There was a lack of transparency on what data Zoom processed
    • Data subjects could not sufficiently exercise their rights
    • Zoom collected too many data
    • Zoom stored data for too long
    How are these issues solved now?

    For a detailed description, see the results of the DPIA.

    By entering into discussions with Zoom on a management level, the company has committed itself to the agreements and taken technical, organisational and legal measures to mitigate the risks;

    Including:

    • a extensive new data processing  agreement was concluded
    • Zoom provides insight into which personal data it processes
    • Zoom will provide complete access in manual responses to data subject requests until it has developed a automated tool for this by the end of the year. The data collection has been minimised and Zoom only keeps data for as long as necessary.
    • In order to also reduce the risks for the metadata, Zoom has agreed to process all data processing exclusively in the EU from the end of 2022 by setting up a European Cloud and having support data processed exclusively by a European third party. When service is required outside of working hours, the user can give explicit consent per ticket for processing outside the EEA. 

    An exception to this is the limited transfer of pseudonymous personal data to the central Zoom Trust & Safety team in the USA. For this, Zoom has promised to implement a secure solution: a secure connection to ensure these data remain in the EU, or the establishment of a European Trust and Safety team. As a result, from 2022 onwards, there will no longer be any structural processing in the USA, only incidental processing that is permitted.  

    Why is this DPIA on Zoom so important for Dutch research and educational institutions?

    Zoom is a widely used application by our members. The licenses are mainly used in academic education. The members therefore asked SURF to ensure good agreements with the supplier. That is why SURF co-commissioned a DPIA on Zoom in 2020 (completed in May 2021). This DPIA showed that there were 9 high risks associated with the use of Zoom. SURF then entered into discussions with Zoom, and appropriate agreements were made with Zoom to implement improvements.

    What were the main sticking points in those discussions?

    The main bottleneck in such discussions is the impact on technology. A party like Zoom must implement technical changes in their software, which has a major impact on resources. That is why it is so important that everyone (up to board level) is involved and supports the changes; only then can these steps be taken.

    Why did it take so long to reach a solution?

    It takes time to clarify the interests at stake and to bring together all the people needed to implement the measures. After that, a lot of discussion is needed about the measures to be taken and how they will be implemented. The actual implementation of the measures also takes a lot of time. 

    A large group of people at both Zoom and SURF are working on it almost full time.

    Does SURF now have a preference for Zoom for video conferencing?

    The suitability of a tool depends entirely on its use and the goals that an organisation has. There is therefore no particular preference for a particular tool, but rather that, when used, one should consider which tool is suitable.

    SURF does not take a position on this. We make agreements with suppliers on behalf of the members. Zoom is now one of the suitable parties for video conferencing when it comes to privacy and security.

    How is it that agreements made by SURF now apply to the whole of Europe?

    SURF has negotiated on behalf of the entire education sector and the government. Many of the measures that Zoom is taking are so generic in nature that it pays for Zoom to implement them for the whole of Europe. Zoom has also realised that taking privacy measures will give them a much better position in the European market, and was therefore prepared to implement the many measures they are taking not just for SURF but for the whole of Europe.

    How does this DPIA relate to the DPIA conducted on Microsoft Teams?

    Both DPIAs are independent processes. In both cases, SLM Rijk and SURF worked together. In performing DPIAs, we follow standard procedures and the applicable legislation and regulations. There is no relationship between the two DPIAs because they concern two different applications.

    Learn more about the DPIA on Microsoft Teams.

    Q&A - questions for SURF members

    If I have questions or comments I do not wish to discuss publicly, who should I contact?

    If your question is not answered on this page, please contact your SURF relationship manager.

    With whom has the information been shared?

    With the organisations: UNL, MBO Council, VH, NWO, NFU, KNAW, PO-Raad, VO-Raad, Sivon, Kennisnet, SLB, APS IT-diensten, Ministry of Education, Culture and Science, CIO Rijk (BZK), SLM Rijk (Ministry of Justice and Security), CIP, CSCs, SCIPR, SURF Taskforce Beyond Privacy Shield.