Data Protection in Companies - Video Conferencing with Zoom

Our society is being shaped by the pandemic and companies in particular need to adapt to the new situation. Increasing digitalization has made it possible for modern companies to hold customer visits via virtual conference rooms. Even after the pandemic, video conferencing tools will not disappear, as a high cost-benefit factor has been confirmed and lengthy field service appointments can therefore also be held from your own office or home office.

However, data protection experts are sounding the alarm, as not all conferencing tools comply with the GDPR. In most cases, the providers of virtual conference rooms have their headquarters in the United States or a third country outside the EU. In most cases, the servers used to hold the conferences are also located in these countries and are therefore no longer subject to the GDPR. Global players in particular, such as Microsoft, Google, Zoom, and Facebook, which offer cloud and telecommunications services, only comply with the data protection guidelines that apply to the location server. This server data is of particular interest to intelligence services, the government, and other companies, as the data it contains enables profiling and other data can be used for advertising purposes.

How should data protection between the USA and the EU be evaluated?

The Privacy Shield Agreement was in place between the USA and the EU between 2016 and 2020. This agreement regulated the use and transfer of personal data of individuals from EU member states. In this agreement, however, the data protection guidelines of the United States were classified as sufficient - a fallacy, as these guidelines are not sufficient for people from EU member states. US companies were able to refer to data protection guidelines that did not apply, while Germany had to comply with the particularly strict requirements. The GDPR (General Data Protection Regulation) from 2018 was also unable to remedy this situation and the personal data of EU citizens remains virtually unprotected. In 2020, the Privacy Shield agreement was overturned by the European Court of Justice and suspended.

Data protection and the video conferencing tool Zoom

Data protection experts are keeping a very close eye on video conferencing with Zoom, as Zoom is an American company and users must agree to the US terms of use when using the tool. This is where the first alarm bells start ringing for experts, as this also constitutes consent to the use of data by the secret services. Zoom offers two usage options: If you use a basic Zoom account, you cannot decide on the hosting location of the server used. If you use a paid account, the hosting can be regulated by the user. If a public institution, such as a German university, wants to use Zoom, a European server must always be selected.

Zoom is a profit-oriented company, and this should always be borne in mind when using it. Conversely, this means that data protection is not a top priority and data security is sometimes treated as secondary. In the Zoom area, data protection is even sold to the customer through paid accounts.

Due to the pandemic situation, Zoom has become increasingly well-known and popular in the EU, but data protection officers are concerned because improvements in terms of security vulnerabilities have been rather neglected and Zoom has thus been classified as GDPR non-compliant. Security vulnerabilities have meant that over 500,000 pieces of metadata could be found on the darknet and content from conferences could be intercepted. A rejection of Zoom has even been recorded from a prominent position - Elon Musk and the FBI have banned the use of the tool from company departments. MacOS and the iOS client are also said to have allowed data to be transferred to Facebook and webcams and local web servers were tapped invisibly to the user.

If you study the data protection information on Zoom's data center website, you will see that the company is located in the USA and is therefore also responsible for the Zoom website - this therefore also includes all data processing. If you load the app on offer, you are reminded of the security flaws mentioned above. If the user wants to work in the browser, only the basic functionalities are offered. User data is stored for at least one month during registration. Whether the server is located in Germany or the EU is of secondary importance, as the Zoom company always processes the data in the USA.

How Zoom processes the data it collects and how data protection works - an example

If the customer studies some of the text passages from the Zoom data center, they will come across some vague formulations that give an idea of the importance of data protection at Zoom.

According to Zoom, personal data that is collected and processed through participation in video conferences may not be transmitted to third parties. One exception, according to Zoom, is if the data is intended to be passed on. In the following, Zoom notes that data from the conferences is often also intended for communication purposes and disclosure.

Such passages are rather unpopular with data protectionists, as on the one hand the data should not be transmitted, but on the other hand, the tool should include this functionality, as communication is usually desired. In a face-to-face meeting, data content can be shared with a limited group of participants, but Zoom even allows unknown conference participants to join in. This is where practiced data protection reaches its limits.

Zoom alternatives - how should conference tools be evaluated in terms of data protection law?

In general, it can be said that no tool offers complete data security. If you want to purchase or use a data protection-compliant solution, you should always consider a few criteria.

Is it a trustworthy provider?

There is no general answer to this question, but studying press reports will give you a good overview. If a provider has already attracted attention several times for data protection violations, it is not advisable to use the tool.

Data security and encryption

Video, audio, screen sharing, connection data, and metadata should always be transmitted in encrypted form. In this area, Webex from Cisco has the edge. Encryption of metadata is also offered as standard in the free version of Webex.

The location of the provider - an important criterion for data protection

As a general rule, you should choose a provider that does business in the EU or the European Economic Area. The Demodesk and Teamviewer applications offer security here, as the company is based in Germany.

Own servers - best security

If you want to play it safe, hosting on your servers is certainly the best choice. Although on-premise solutions still have the edge here, data protection experts recommend a self-hosted solution, such as those offered by Jitsi Meet and Nextcloud Talk.

Which video conferencing provider is recommended in terms of data protection?

Data protection authorities recommend Jitsi Meet and Nextcloud Talk. Data protection is guaranteed with these tools and the application runs via the customer's servers. Unfortunately, there are reports that Jitsi Meet does not offer optimal conference quality - a point where a willingness to compromise is required. Nextcloud Talk has difficulties with larger meetings and is therefore still in its infancy.

If we look at the data protection of the individual tools, we can roughly distinguish between four provider groups:

"Secure Leaders"

Unfortunately, this field is still almost unoccupied. "Secure leaders should be able to demonstrate maximum execution power and data protection. Cisco Webex is the only provider that comes closest to this group but cannot score fully in terms of data protection.

"Non-secure Leaders"

This group of providers can demonstrate a high level of user-friendliness and awareness. Providers such as Zoom, Microsoft Teams, Skype, and GoToMeeting can be found here, but all have inadequate data protection.

"Secure Visionaries"

If data protection is important, a company is in good hands with a "Secure Visionaries" provider. These providers do not yet have a high level of user acceptance and are relatively unknown. This group includes Blizz, Jitsi, Nextcloud, and Avaya Aura.

"Niche players"

A provider in the "Niche Players" group is not recommended for companies and government institutions. These providers have no market penetration and also tend to behave inadequately in terms of data protection. The provider Amazon Chime should be mentioned here.