Update DPIA for SURF on Zoom: all known risks solved

Commissioned by SURF (the collaborative organisation for IT in Dutch higher education and research), Privacy Company verified the measures Zoom committed to take in an Update DPIA report. The outcome of this Updated Data Protection Impact Assessment (DPIA) is that the US American videoconferencing company has taken almost all remaining agreed measures, and will roll out the last 3 measures before the end of the year. This means Zoom has solved all known data protection risks, provided that the educational institutions apply the recommended measures.

In a previous blog Privacy Company already concluded that Zoom had mitigated all high risks by agreeing to a comprehensive new data processing agreement with SURF, and by rolling out many technical and organisational improvements.

With the permission of SURF we are publishing this blog about our findings. If you have any questions about the DPIA, please contact SURF's communications department at communicatie@surf.nl.

Zoom

Zoom enables people to meet in videoconferences,attend Webinars and share information one-to-one or in large groups via chat, with people inside and outside their organisation. To make use of the online services, users can install software on their own devices or log in via a browser. The Update DPIA covers Zoom's data traffic from installed applicationson the operating systems MacOS, Windows, iOS and Android, and via a Chrome browser.

New privacy conditions European Education users

In a first DPIA (performed in 2020-2021) on Zoom, nine high and three low data protection risks for data subjects were found. From the summer of 2021 on, SURF and Privacy Company engaged in extensive discussions with Zoom. These discussions resulted in Zoom taking and committing to a large number of mitigating measures. The agreements were laid down in a new contract, a new comprehensive data processing agreement and a signed action plan with timelines for the agreed measures. Most importantly, Zoom agreed to factually and formally acts as a data processor for all personal data. Not only for Content Data, but also for the Account Data, Diagnostic Data, Support and Website Data (during and after login). The data processing agreement contains a limitative list of clear and necessary purposes for which Zoom may process the data. These guarantees also apply to guest users that join a meeting organised by an EU Education customer. The agreement prohibits Zoom from ever processing the data for marketing, profiling, research, analytics or targeted advertising. Zoom may 'further' process some of its customers' personal data for a second limitative list of specific purposes if the processing is strictly necessary, for example to send invoices, respond to abuse complaints or predict network capacity requirements. Many other important improvements are listed in the previous blog from Privacy Company about Zoom.

New measures Zoom since 2022

• Zoom has effectively realised EU-based data processing for all personal data, with some exceptions.
• Zoom’s data processing agreement with SURF is different from Zoom’s global data processing agreement. Zoom has updated its global DPA to include many of the negotiated improvements, but will also publish an addendum for EU/EEA Education and Enterprise customers in Q2 2024.
• Zoom has asserted that it has subprocessor agreements with all of these parties, has inventoried the subprocessors of its subprocessors and has ensured that arrangements for onward transfers, such as SCCs, comply with the guarantees in the new DPA. This also applies to the strictly necessary cookies set on Zoom’s websites.
• Zoom has clarified and minimised the data retention periods, to an average of 7 to 31 days for most of the Content and Support Data after account termination, and 12 to 15 months after creation of the Diagnostic Data (with the exception of security logs). Zoom has published an overview of the retention periods of the different personal data.
• Zoom has become more transparent about the Diagnostic Data it processes. Zoom has published an updated list of telemetry events, an updated Cookie Policy, and expanded the information in its Data Privacy Data Sheet with information about all metadata, data transfers and subprocessors. Zoom has confirmed in the EU it only collects required telemetry as the default option.
  Zoom has developed self-service tools for administrators to file Data Subject Requests, as well as a take-out tool for logs of admin behaviour. Zoom has also improved the understandability of the output of the DSAR results by providing descriptions of each file, and grouping the files in a more understandable order.
  Zoom has taken many steps to comply with the privacy by design and privacy by default principles, also with regard to Zoom’s new AI Companion. The AI Companion is disabled by default for EU Education customers. Another example is the decision to create statistics about the amount of active users in the EU, in stead of creating such statistics in the USA.
• Like all other US cloud providers Zoom is obliged under US law to report confirmed Child Sexual Abuse Material (CSAM) to an NGO in the United States (NCMEC). Zoom has mitigated the risks of such an onward transfer by only reporting exact matches with known material, after human review.
• Zoom has agreed not to send any unsolicited commercial communications to admin and end user Account Data, only to its commercial contacts (Sales Managers). Zoom has developed a marketing preferences self-service tool that end users can use to opt-in to marketing lists, and sales contacts can use to opt-out.
  Zoom has agreed to take two additional measures by the end of 2024 the latest. Zoom will release a Diagnostic Data Viewer for the Telemetry Data in the first half of 2024 and build tools for Education end users for direct access to data and other privacy tools in the second half of 2024.

Conclusions

The result of this DPIA is that there are no more known data protection risks for the processing of personal data by Zoom.
Zoom now processes most of the personal data from Dutch Education customers exclusively in the EU. Zoom does not systematically transfer personal data to third countries outside of the EU, only incidentally, if an end user travels outside of the EU, if an admin consents to a one-off transfer to get support outside of office hours, or in case of a complaint or security flag.
Zoom does systematically transfer pseudonymised account data and IP addresses to the USA and incidentally sends service notifications to end users through its subprocessor Twilio from the USA. However, because of the new EU adequacy decision for the USA in July 2023, and because Zoom is a participant to the EU US Data Privacy Framework, there are no more high risks resulting from these data transfers to the USA. If the Dutch education and research institutions apply the recommended measures, there are no known data protection risks for the individual users of the Zoom videoconferencing services.

Recommended measures for education and research institutions

• Consider enforcing the use of E2EE as a good security measure. This is no longer required to mitigate data transfer risks.
• Consider use of the available privacy options such as:
  • Enable advanced chat encryption
  • Prevent participants from saving chats
  • Mute individual or all participants upon entry
  • Turn off file transfer
  • Turn off annotation
  • Disable private chat
  • Turn off screen sharing for participants
  • Prohibit the (local) recording of video during screen sharing
  • Prohibit the viewing and recording of the ‘gallery’ during screen sharing
  • Enable the waiting room for participants
• Create policy rules to prohibit the use of confidential data in room and topic names. If necessary for internal confidentiality requirements: draft a policy to instruct users if they can or must use a profile pictures.
• Carefully assess optional third party integrations offered by Zoom, do not enable Giphy, and use own GDPR-compliant subprocessors to send invitations for Zoom webinars. If the organisation uses Zoom’s subprocessor Twilio to send webinar invitations: do not enable the tracking pixel, or ask for prior unambiguous consent for this tracking from the recipients, provided that the recipients are legally able to freely give such consent (difficult for employees).
• Enable (or do not disable) ‘EU-only’ for Support requests. Draft an instruction for admins when they can consent to export of Support Data to the USA and the Philippines in exceptional emergency circumstances outside of EU office hours.
• Use Single Sign On to further reduce the transfer risks of pseudonymised e-mail addresses to Zoom in the USA (necessary when logging-in).
• Use the Vanity URL like universityofamsterdam.zoom.us in combination with Single Sign On (SSO) to be able to show the organisation’s own privacy policy and use conditions to end users during sign-up, and on all meeting, webinar, and recording registration pages.
• Alternatively, if the organisation does not use SSO and end users must individually sign-up: tell them Zoom’s general consumer privacy policy and TOS do not apply.
• Zoom has developed a self-service tool for admins. Inform parents, students and employees how they can file a data subject access request with the school or university administrator. By the end of 2024, end users should be able to file a DSAR directly, via a new DIY portal. Zoom will also release a Diagnostic Data Viewer for the Telemetry Data before July 2024.
• Create a policy to prevent abuse of audit logs and reports as an employee and admin monitoring tool
• Regularly check the logfiles with admin behaviour to verify compliance