Various Data Protection Authorities from Australia, Hong Kong, Gibraltar, Switzerland and the United Kingdom (the "Authorities") have set out their global privacy expectations of video teleconferencing companies ("VTC Companies") in an open letter dated 22 July 2020 (the "Letter").

The Letter was prepared due to the increase in VTC tool usage both from a social and business perspective, as a result of the ongoing COVID-19 pandemic. The Letter acknowledged that the increase in usage of VTC tools and platforms exacerbates existing risks in the handling of personal data by VTC Companies and also creates new risks (see our article on "Data Protection considerations for alternative communication platforms" here). Faced with increased VTC usage and amplified media attention, the Letter sought to set out key principles that should be considered by VTC Companies to assist them in addressing privacy concerns reported to the Authorities directly as well as discussed in the media.

The Letter notes that its purpose is to: "set out our concerns, and to clarify our expectations and the steps you should be taking as VTC companies to mitigate the identified risks and ultimately ensure that our citizens' personal information is safeguarded in line with public expectations and protected from any harm".

Principles set out in the Letter

The Letter provides VTC Companies with a set of principles to assist in addressing the increased privacy concerns over their services. The principles relate to the following aspects:

  • Privacy by design and default: when VTC Companies design their platforms, privacy and data protection should be at the core of the services provided. It is essential for VTC Companies that privacy and data protection are central to their services and referred to as a starting point rather than an afterthought. The platform settings should be privacy-friendly and the Letter recommended using features such as:
    • announcing new callers when they join;
    • setting audio/video feeds as mute upon entry; and
    • allowing users to seek other users' consent.
  • The Authorities have recommended that VTC Companies undertake a privacy impact assessment to identify the impact of their personal data handling practices on the privacy of individuals and implement strategies to "manage, minimise or eliminate, these risks".
  • Security: The Authorities acknowledged that data-security is a dynamic responsibility and vigilance by organisations is paramount. The Letter set out that VTC Companies should as standard, have particular security safeguards in place to target cybersecurity risks and threats (see our article on "Tips for staying safe whilst working remotely during COVID-19" here which sets out recommendations on how to stay safe from cybersecurity risks whilst using alternative communication platforms). The Letter suggested that this would include two-factor authentication, strong password requirements and effective end-to-end encryption for all data communicated. The Letter emphasised that the security mechanisms implemented should be subject to continuous routine updates.
  • The Authorities commented that security considerations should be given extra attention by organisations who provide VTC services for sectors that routinely process sensitive information, such as hospitals providing remote medical consultations and online therapists.
  • Transparency and fairness: The Authorities have recognised that there is a heightened community awareness and increasing expectations in terms of how organisations, particularly VTC Companies, treat and use personal data as a result of several high-profile privacy breaches being reported in the media. The Letter states that in order to satisfy these 'expectations', VTC Companies should be "up-front" about how they use personal data and pro-actively make users, in an easily accessible manner, aware of how their personal data will be used and ensure their use of personal data collected is fair and expected.
  • The Letter specifically refers to processing personal data for unexpected purposes and states that "This is particularly the case when what you do with people's information is unlikely to be expected because it would not be seen as a core purpose of the VTC service. This information should be provided pro-actively, be easily accessible and not simply buried in a privacy policy". VTC Companies should obtain specific and informed consent when required.
  • The Letter also expressly refers to changes to VTC platforms and recommends that when VTC Companies consider making changes to their platforms they should consider the impact of these changes and consider whether it is important to make users aware of these changes. This will enable users to make informed decisions about how they use VTC platforms moving forward.
  • Know your audience: The Authorities recognised that during the ongoing COVID-19 pandemic, they have seen many examples of VTC platforms being deployed in contexts for which they were not originally designed or intended. This can potentially give rise to new risks that VTC Companies may not have anticipated prior to the current crisis. Therefore, VTC Companies should understand and review how platforms are being deployed by users, particularly when it comes to children, vulnerable groups and contexts where discussions on calls are likely to be sensitive (the Letter gave the examples of the healthcare and educational sectors) or when operating in jurisdictions where human rights and civil liberty issues might create additional risk to individuals engaging with the platform. The Authorities have suggested that VTC Companies "consider what the data protection and privacy and requirements are for all contexts in which your platform is now in use, and implement appropriate measures and safeguards accordingly".
  • End-user control: As pointed out by the Authorities in the Letter, end-users may often have little choice about the use of a VTC service if a particular platform has been purchased, or is being exclusively utilised, in a given work-place, school or other setting. The Letter recognises that some novel features of VTC platforms "may raise the risk of covert or unexpected monitoring". For example, on certain VTC platforms the host may be empowered to collect location data, track engagement or attention of platform participants or record or create transcripts of calls in virtual classrooms. If these features are available, VTC Companies should ensure that the use of these features is clearly indicated to those on the call when they are activated. This could be done via pop-ups or icons. VTC Companies should make sure the end-users have appropriate information and control of such features on their platforms.

Conclusion

The key message from the Authorities in the Letter was that: "VTC companies offer a valuable service allowing us all to stay connected regardless of where we are in the world; something that is especially important in the midst of the current Covid-19 pandemic. But ease of staying in touch must not come at the expense of people's data protection and privacy rights".

Users of VTC platforms, whether businesses or individuals, should also be aware of their rights and obligations in dealing with their own and others' personal data on these platforms. The principles set out in the Letter are intended to be focus points for VTC Companies to ensure that the services offered not only bolster data protection and privacy within their businesses, but also help to build a relationship of trust and confidence between users and VTC Companies especially in the current climate where the user base of VTC platforms will continue to grow.

Background of the Letter and next steps

The Authorities were brought together through the Global Privacy Assembly ("GPA")'s International Enforcement Cooperation Working Group ("IECWG") to issue this Letter to all VTC Companies around the world. The Letter has also been sent directly to Microsoft, Cisco, Zoom, House Party and Google.

VTC Companies are invited to respond to the Letter by 30 September 2020, to demonstrate how they are taking the above principles into account in the design and delivery of their services.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.