Safe cloud use: Zoom and SURF together provide seatbelts and airbags
Zoom is popular in the Netherlands, but still struggled with a nine privacy issues in 2020. Zoom can now be safely used in Dutch education and research: the Data Protection Impact Assessment (DPIA) on Zoom indicated that using Zoom's video conferencing services no longer poses high risks to users.
A great result of an extraordinary public-private partnership project. To do so, a number of bumps had to be taken. SURF and Zoom rose to that challenge together.
Glory Francke is European and US privacy lawyer at Zoom, and leads the collaboration with SURF from Zoom: "During this project we had a number of intensive working sessions, online of course. Because of the big time difference between the Netherlands and Seattle, we often sat and had meetings over dinner: us at breakfast, the SURF employees at dinner. That shows very nicely the willingness to achieve a good result together. We all go the extra mile in this special collaboration project".
Because a special collaboration you can certainly call this project of SURF and Zoom. It is already exceptional for a European and a US party to work so closely together on privacy. But besides that, it is also a public-private partnership. How did it come about and what was the result?
Video conferencing popular during corona
It actually all started in March 2020. Exactly: at the beginning of the corona crisis. That was when the demand for videoconferencing services exploded. In Dutch education, the use of Zoom rose rapidly. This led to questions about privacy protection: did Zoom adequately protect the data of European users?
Initially, SURF and Zoom came to temporary agreements. Then, in October 2020, SURF and the government launched a DPIA. The DPIA was conducted in collaboration with Privacy Company, a privacy and data protection consultancy.
What is a DPIA?
DPIA stands for Data Protection Impact Assessment. It is a tool to identify privacy risks of a data processing operation for users (e.g. by applications like Zoom). And then to take measures to mitigate those risks. It follows from the General Data Protection Regulation (GDPR) that a DPIA is legally required if there is likely to be a high risk to users, such as large-scale processing of personal data or sensitive personal data.
First DPIA
Sandy Janssen, project leader from SURF: "For this first DPIA, we held a number of discussions with Zoom. In the DPIA, we identified the privacy risks to users posed by the use of Zoom. This led to the advice to SURF members in May 2021 to be cautious when using Zoom and not to use the service to process sensitive data. It contained too many high privacy risks for users and there was insufficient prospect of Zoom resolving the risks found."
Glory: "Those discussions were the beginning of the collaboration between SURF and Zoom. I had just joined Zoom and was faced with all kinds of difficult questions from Privacy Company's privacy experts, about our data processing. As a privacy lawyer, I actually immediately saw all those questions as something positive: if the Dutch government conducts a DPIA, you know they are interested in your product. But not everyone in our company thought that way: some saw the DPIA as an audit by a regulator."
More transparency needed
This did not diminish when the first DPIA turned out negatively for Zoom. Sandy: "The main privacy risk was in the processing of personal data: Zoom was operating as a data controller for most data, but should be acting as a data processor. As a result, institutions using Zoom had less control over users' data. Furthermore, Zoom had to become more transparent about what data it was processing and for what purpose. Another issue was that the data was stored in the United States.
"As a privacy lawyer, I actually immediately saw Privacy Company's difficult questions as something positive," he says.
Great gift
With the first DPIA, Zoom had some concrete areas for improvement in its hands. "The DPIA was a great gift for us," explains Glory. "This DPIA showed that we were not yet transparent enough. I was able to convince our management that we could get this in order by working with SURF. As a company, we have no interest in storing data. For example, we do not depend on advertisements for our revenue, like some other providers in the market. We want to do it right, but could still use some help in doing so."
Thus began the project to conduct a new DPIA on Zoom. For this DPIA, SURF had taken over the lead role from the Dutch government. Privacy Company again provided the privacy experts who supported with the research. Sandy: "We were very happy that Glory was able to convince her colleagues to start working with SURF. Zoom no longer saw the DPIA as an audit, but as an opportunity to learn what the GDPR requires, and how to adapt your product so that it best protects the privacy of European users."
Working sessions in collegial atmosphere
From November 2021, Zoom and SURF held intensive working sessions, which were also attended by Privacy Company's privacy experts. Those sessions naturally addressed the bigger issues, such as role clarity and transparency. But details were not lost sight of either, such as the use of cookies.
"It was really nice to see how committed the people at Zoom were to this project," says Sandy. "Once they had management's permission to start the collaboration, it no longer felt like we were sitting opposite each other, but - in a well-nigh collegial atmosphere - we were working together towards a solution."
That dedication, by the way, is also reflected in the fact that Zoom freed up a lot of capacity for this project. Glory: "We took a company-wide approach to this. We involved colleagues from different disciplines in this project to come up with good solutions to the issues: lawyers, technical people, and so on. All of them participated in the working sessions. To implement the solutions, we freed up capacity and redesigned processes in business operations."
"It was really nice to see how dedicated the people at Zoom were to this project."
Learning how to apply the GDPR
The GDPR is new, and it is a European law. As a result, Zoom ran into challenges in implementing it. Glory: "The GDPR is a principle-based law. For example, one of the principles is that you have to apply privacy-by-design when developing your products. That makes the law flexible, but it does pose the question of how to apply those principles in our products. SURF has been a great help to us in applying the GDPR, making our products more in line with what our customers want."
Through its collaboration with SURF, Zoom has now resolved many issues. For example, Zoom is more transparent about how they process data and a processor agreement has now been signed. Also, for many users' personal data, Zoom is now a processor and they also make it clearer when they are data controllers and when they are processors. Furthermore, Zoom has agreed to process almost all personal data of European users in Europe by the end of 2022, and a support centre is being set up in Europe. After all, data is also processed when providing customer support. Zoom has also improved the security of video calls, including the introduction in October 2020 of end-to-end encryption, as an option in Zoom Meetings.
Second DPIA: no more high risks for users
All this led to the publication of the second DPIA on Zoom in March 2022, on the basis of which SURF gave a positive opinion for the use of Zoom products. SURF believes that Zoom has made sufficient adjustments to the privacy arrangements for all Education and Enterprise users in Europe. Also for highly confidential communications and sensitive personal data.
Sandy: "Institutions can now enter into the processor agreement with Zoom that we drafted in this project. Institutions can also use the DPIA for their own assessment of privacy risks to users. They can do so by, as a follow-up to SURF's work, determining themselves whether Zoom has sufficiently mitigated the risks. After all, institutions themselves remain responsible for the privacy of their staff and students. SURF helps with this, by maintaining contact with the vendor and offering information to the institutions, such as the DPIA with accompanying documentation."
"Engage in collaboration"
Glory: "We have come this far thanks to the fruitful cooperation with SURF. I would therefore wholeheartedly recommend to other service providers facing a DPIA: don't see the party carrying out the DPIA as the enemy, but engage in cooperation! Think of it as a learning process. At the beginning of the 20th century, the car was on the rise, but there were no seatbelts and airbags yet. Those came only later. That's how I see working on a DPIA: through projects like this, we make our services ever safer and more reliable."
"By working well together, you can reach a mutually satisfactory solution."
Everyone satisfied
Sandy also looks back on the DPIA project with Zoom with a good feeling. "Here in Europe, we sometimes wonder whether it would not be better to stop using US services. After all, cooperation on privacy protection is often difficult. This project shows that it can be done: by working well together, you can reach a solution that is satisfactory for all parties. You can see that here: we are happy because our institutions can now safely use Zoom, a popular tool. An additional advantage of this approach is that a lot of preliminary work has already been done this way: the institutions can use the DPIA to assess the risks for their own users. This is much more efficient than each institution having to carry out a full DPIA itself. And Zoom is happy because the use of their video conferencing service no longer has high risks for users."
How to proceed?
This second DPIA does not end the collaboration between Zoom and SURF. Glory: "Zoom is still implementing some solutions, my colleagues are busy with that. We at SURF will regularly check whether new product features comply with the agreements made in the DPIA." SURF and Zoom will continue to talk to each other afterwards as well, because compliance is not a one-off affair. Processes, products but also laws and regulations can change, making new agreements necessary.