Since the start of the coronavirus pandemic last year, video conferencing has become an indispensable part of everyday professional lives. In response, working routines have shifted into the virtual realm for employees across many sectors and professions. However, in parallel, the technology has come into the crosshairs of privacy and security regulators in EU member states such as Germany.
Review of videoconferencing services by data protection authorities
Over the last year, Berlin’s Commissioner for Data Protection (the Commissioner) has issued two assessments on videoconferencing systems, particularly in regard to the applicable data processing agreements.
According to the latest assessment from February 2021, none of the market-dominating videoconferencing service providers (VSPs) offers data processing agreements satisfying the requirements of Article 28 of the EU General Data Protection Regulation (GDPR). The Commissioner concluded that none of these systems can be used by companies in accordance with data privacy laws.
Even though the market feedback on the strict interpretation of Article 28 GDPR requirements and, in consequence, the practical value of these assessments has been mixed, the Commissioner’s assessments give companies a list of requirements to be met and to consider should they negotiate with their VSP. However, the requirements are also important in relation to other service providers that are engaged as processors within the meaning of the GDPR.
In particular, data protection authorities (DPAs) pay attention to the following aspects in data processing agreements with VSPs:
- the scope of the data processing agreement (with some VSPs assuming the role of a controller for certain processing activities);
- any restrictions on the controller’s right to issue instructions to the VSP, in some cases with reference to obligations under foreign laws as a justification;
- any restrictions on other mandatory rights of the controller (eg regarding the right to delete data or carry out inspections, in which respect it should ensure that documents to be provided are not extensively restricted, the right of inspection is not limited to reviewing documents and an unannounced on-site audit is possible at least in exceptional situations); and
- any authorization to engage subcontractors within and outside the group of the respective VSP. The Commissioner, for example, said that the rights of the controller to object to (new) subcontractors, and to control and inspect them, may not be inadmissibly limited.
Another point of criticism has been the unclear structure of some of the data processing agreements and the fact that some VSPs reserve the right to change those terms at any time, of which controllers should be informed in advance in order to fulfill their accountability obligations under the GDPR.
Furthermore, concerns were expressed that many of the VSPs transfer personal data to countries outside of the EU/EEA in the course of providing their services. As this usually takes place on the basis of the standard contractual clauses (SCCs), the requirements stipulated by the ’Schrems II ruling’ of the CJEU from July 2020 apply.
In its assessment, the Commissioner emphasized that deviations from these SCCs are not acceptable. Since the Commission adopted the new SCCs for transfers of personal data outside of the EU/EEA at the beginning of June, companies using VSPs that transfer the data outside of the EU/EEA must update their SCCs by 27 December 2022.
It is also worth noting that in summer 2020 the DPAs from Australia, Canada, Gibraltar, Hong Kong, Switzerland and UK issued a joint statement reminding VSPs of their privacy obligations. In particular, they reminded VSPs of their obligation to design their products in accordance with the principles of privacy-by-design and privacy-by-default, and to transparently inform their users about the circumstances of the processing.
Minimum IT-security standards for videoconferencing systems
The German information security regulator, the Federal Institute for IT Security (BSI), recently announced it intended to define minimum standards for videoconferencing systems to complement its 2020 ’Compendium Videoconferencing Systems’ guidelines.
These minimum technical standards for videoconferencing systems, which have so far only been published as a ’community draft’, are based on the Compendium. Although these defined minimum standards only address federal government institutions, the technical and organizational measures described therein are likely to become relevant for companies as base-level requirements by indirectly defining what is considered ’state of the art‘ for such systems. Unlike the Compendium, however, the minimum standards are aimed at a narrow core of technical requirements and settings (of which most are considered ‘must-haves’ by the BSI).
Content wise, the minimum standards partially describe security requirements for the tool itself (eg encryption), which the VSP must implement. Other requirements relate to procurement and in particular list criteria for selecting a videoconferencing service based on its data-security-related functions (such as the possibility of data localization, the degree of data availability or regular security updates).
Of particular relevance for companies making use of videoconferencing services are the requirements for operation and for users. Key requirements include a comprehensive access-rights concept and the obligation to keep all unnecessary features (such as voice control or automated acceptance of connections) deactivated. The organization should also pre-define which categories of data may be processed via videoconferencing services in the first place and instruct users to comply with all requirements relating to the proper use of videoconferencing systems.
Key requirements to check and observe when making use of videoconferencing systems
Considering the two specific guidelines above, along with guidance and statements from the DPAs in France or the UK, companies using a videoconferencing system can address regulatory expectations by checking the following issues:
- As the controller of both customer and employee data, a company should first ensure that it has a legal basis for processing personal data in videoconferencing systems and adheres to the legal requirements of the GDPR. It also needs a data protection organization that ensures its own technical and organizational safeguards, including policies on how such systems should be selected, implemented and used by employees.
- Companies must ensure that a GDPR-compliant data processing agreement is in place with the VSP.
- Contractual safeguards and settings should ensure privacy compliance when personal data is transferred to countries outside the EU/EEA either within a corporate group or to external parties.
- It might also make sense to carry out a data protection impact assessment to show which types of personal data are processed and how privacy concerns are effectively addressed.
- When developing and implementing custom-build software and procuring IT systems (including videoconferencing systems), companies should diligently review technical settings and choose systems with appropriate defaults, taking into consideration the privacy-by-design and privacy-by-default principles of the GDPR.
- As humans remain the most vulnerable part of every company’s IT system, security policies should include – and staff should be trained – how to use the videoconferencing tools.
- The use of video conferencing services should be also reflected in internal and external privacy notices.
- Companies should review applicable local laws to determine whether they need to inform or consult employee representatives (such as works councils) when implementing videoconferencing systems or policies that address employees as users.
Outlook
In Europe, the number of proceedings leading to fines for inadequate technical, organizational or contractual safeguards have increased steadily in recent times. And now authorities are taking a particularly critical look at videoconferencing systems, as illustrated by a number of guidelines that have been published of late.
This development is likely to extend beyond the pandemic: many businesses have announced or are considering integrating remote working, and are limiting business travel to save costs and reduce their carbon footprints.
To limit future privacy and IT security risks, companies should therefore pay attention to the further development of administrative standards.
