EU – DATA

Following the publication of the joint statement on privacy expectations for video teleconferencing (“VTC”) companies in July 2020, the ICO and six other global data protection authorities worked with the five largest VTC companies to produce best practice guidance designed to mitigate the risks faced by VTC companies and users alike in the wake of the COVID-19 pandemic.

Key date(s)

  • July 2020  – Data protection and privacy authorities from Australia, Canada, Gibraltar, Hong Kong, China, Switzerland, and the UK jointly published an open letter to video teleconferencing (“VTC”) companies.
  • 27 October 2021  – The Information Commissioner's Office (“ICO”) publishes its final observations on the joint statement on global privacy expectations of VTC companies..

Status

  • In July 2020, the Information Commissioner's Office (“ICO”) published an open letter to VTC companies in partnership with data protection and privacy authorities from Australia, Canada, Gibraltar, Hong Kong, China, and Switzerland (the “Joint Statement”).
  • In 2020, the global effects of the COVID-19 pandemic on organisations of all shapes and sizes and on the general public resulted in a dramatic rise in the use of VTC services. The Joint Statement was issued to address concerns about whether privacy safeguards built into such services were sufficient to keep pace with this exponential increase in demand by a diverse range of users.
  • The Joint Statement also included a series of guiding principles that would enable VTC companies to address some of the key privacy risks that were concerning regulatory authorities and actively invited the five largest VTC companies to reply to the Joint Statement.
  • Responses were received from Google, Microsoft, Zoom and Cisco which detailed how each company incorporated the guiding principles into their respective VTC services and a constructive dialogue with the authorities has continued since, leading to a mutually beneficial exchange of information between regulators and some of the biggest names in the VTC industry.
  • The ICO has now concluded its involvement in the project and published its final observations on global privacy expectations of VTC companies which include practical good practice guidance (the “Observations”).

 What it hopes to achieve 

  • The ICO has held this project out as “an example of constructive engagement between the privacy regulatory community and the organisations we regulate”. It notes that the Joint Statement enabled a global privacy regulatory community spanning four continents to respond effectively to an unprecedented event and cites this model of engagement as being “valuable and replicable” in similar circumstances in the future.
  • In the short term however, it is hoped that the Observations, and the five principles contained within it, will assist VTC companies and the wider VTC industry to mitigate some of the inherent privacy risks involved in their services.
  • It should be noted however that neither the ICO nor any of the other regulatory authorities formally investigated the VTC companies that engaged with the Joint Statement. Consequently, it is important to recognise that the Observations are only applicable to general, public use of VTC platforms and they do not generally address the issues surrounding the use of VTC platforms for sharing sensitive information.
  • The good practice guidance contained in the Observations though will only be effective if it is implemented and observed by VTC companies.

Who does it impact? 

  • The Joint Statement was targeted at the five largest VTC companies, however the content of the Joint Statement itself and the Observations are applicable to the wider VTC industry.
  • Specifically, the Observations should be reviewed and incorporated into the privacy practices of all VTC companies to ensure compliance with latest best practice guidance (including that of the ICO).
  • From a regulatory perspective, the Joint Statement's model of engagement may well be replicated by other regulators in the near future and should be considered by all regulatory bodies.

Key points 

  1. Security
    • The ICO and the other signatories to the Joint Statement recommend that VTC companies regularly test and review their security measures and employ multiple testing approaches.
    • VTC companies should also ensure that any third-party sub processors and their own employees comply with their personal information obligations.
  1. Privacy-by-design and default
    • Data protection and privacy obligations must be considered at all stages of the design and development of VTC services. It is also recommended that all VTC services have the highest level of privacy protection set as the default user setting
  1. Know your audience
    • VTC services are increasingly being used to hold discussions containing particularly sensitive information. Platforms must include sufficient privacy and security safeguards to protect personal data being shared in this context. Tailored or custom security guidance is one way of adapting protocols to the privacy requirements of different users
  1. Transparency
    • To ensure that users are adequately informed as to how their data is being collected and used by the VTC service, a ‘layered' approach should be used. This requires platforms to present user information to their audiences in different ways across multiple touchpoints.
  2. End-user control
    • VTC platforms must provide users with clear and intuitive controls to operate the system with. Users should also be alerted when information about their experience of, or participation in, a meeting is being collected, such as through an attendance or engagement report, and opt-out mechanisms should be readily available in such scenarios.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.