Today we are pleased to announce the publication of a Data Protection Impact Assessment (DPIA) on Zoom’s Meetings, Webinar, and Chat services published by SURF.
On behalf of its members, SURF negotiates with major software suppliers to procure and assess their tools’ compliance with European privacy and security standards and documents its findings in a DPIA. This gives SURF’s members freedom of choice when purchasing software such as video conferencing tools.
A SURF-published DPIA represents an important benchmark for technology providers — accurately tracking current performance on data protection and a risk analysis, as well as identifying opportunities for enhancing practices.
Zoom is grateful to SURF for the cooperation in preparing this DPIA. In addition to supporting Zoom’s efforts to continue improving its approach to data privacy, the DPIA reflects the respect that Zoom has for European data protection policies and principles. Zoom is committed to expanding its engagement with European companies, governments, and citizens.
What is a DPIA?
A DPIA is a detailed technical and legal review of a company’s data collection and use practices to determine compliance with European Union (EU) data protection laws, especially the General Data Protection Regulation (GDPR). A DPIA analyzes how a company processes personal data, identifies risks associated with that processing, and provides measures to mitigate those risks.
During the DPIA evaluation process, Zoom specified its data collection and use practices and provided evidence to demonstrate those practices. SURF assessed Zoom’s current capabilities and made recommendations in the DPIA for improvement in practices, all in the effort of strengthening data protection for European citizens.
The assessments are published below this announcement.
Key actions emerging from the DPIA
SURF and Zoom agreed to several actions in the course of collaborating on the DPIA. These include:
Developing new privacy features:
- Data location solutions: EU Zoom customers have privacy concerns about the processing of personal data in the U.S. and prefer that all personal data be processed in the EU. Zoom has committed, in consultation with SURF, to make this largely possible by the end of this year. Any exceptions will be agreed upon and documented.
- EU support services: Zoom will establish a separate EU support desk by mid-2022 to support EU accounts during EU business hours. If an EU account requires support outside of those hours or has an escalation that requires support outside of the EU, Zoom will only provide such support if the customer explicitly consents, with each support ticket.
- Data Subject Access Requests (DSARs): Zoom will enhance the ability for customers to respond to DSARs with two self-service tools for enterprise and education account administrators.
- Communication preference center: Zoom will develop a marketing preferences self-service tool for all account owners by the end of 2022.
Improved transparency and documentation:
- Privacy datasheet: Zoom improved its public documentation on its processing of personal data with the publication of a privacy datasheet that will be regularly updated.
- Updated Data Transfer Impact Assessment (DTIA): Zoom has produced a new DTIA based on the format created by the Swiss legal scholar David Rosenthal. The DTIA shows that the privacy risks to individuals using Zoom are negligible.
- Clarifying Zoom’s roles & responsibilities: Zoom agreed that it was appropriate to reclassify itself as a data processor for all personal data, except for a limited list of situations in which the education and enterprise customers (the data controllers) authorize it to ‘further’ process some personal data as an independent data controller. This also applies to the personal data Zoom collects through its publicly available website.
Enhancing Zoom’s data protection practices:
- Personal data retention: Zoom has clarified and minimized its customer personal data retention practices.
- Privacy by design and default: Zoom will implement more robust and aggressive privacy by design and default processes throughout their product development lifecycle.
- Employee training: Zoom is deploying new training for its employees to ensure they always consider privacy protections while delivering happiness.
- Measuring our progress: Together with SURF, Zoom has documented opportunities for improved data protection and a roadmap for achieving these goals. SURF and Zoom will discuss the progress in a bi-monthly schedule.
A new horizon for data privacy
Zoom states that the cooperation among SURF and Zoom — both on the DPIA and moving forward — will help Zoom benchmark and evolve their data privacy and protection strategies.
As the DPIA notes, “Thanks to Zoom’s many improvement measures, and the new DPA with a limitative list of specific purposes, Zoom’s customers should be able to rely on the contractual guarantees and privacy controls to prevent any personal data from being processed beyond these authorized purposes.”
To learn more about Zoom privacy and security, explore the Trust Center.