Data protection watchdogs urge video conferencing data responsibility

Global data protection and privacy authorities have sent an open letter to video teleconferencing companies to ‘remind them of their obligations’ to comply with data protection and privacy laws and to handle information responsibly. through the Covid-19 pandemic and beyond.

The letter was signed by the Information Commission Office (UK), Federal Data Protection and Information Commissioner (Switzerland), Gibraltar Regulatory Authority, Office of the Australian Information Commissioner, Office of the Privacy Commissioner of Canada and the Privacy Commissioner for Personal Data (Hong Kong). 

The letter is intended video conferencing companies, but has been sent directly to Microsoft, Cisco, Zoom, House Party and Google.

The letter states: “Use of VTC to stay connected is not new. But as a result of the Covid-19 pandemic, we have seen a sharp increase in the use of VTC for both social and business purposes, including in the realm of virtual health and education, which can involve the sharing of particularly sensitive information, for particularly vulnerable groups. This increase in use exacerbates existing risks with the handling of personal information by VTC companies, and also creates new ones. 

“Reports in the media, and directly to us as privacy enforcement authorities, indicate the realisation of these risks in some cases. This has given us cause for concern as to whether the safeguards and measures put in place by VTC companies are keeping pace with the rapidly increasing risk profile of the personal information they process.”

The letter adds: “We recognise that VTC companies offer a valuable service allowing us all to stay connected regardless of where we are in the world; something that is especially important in the midst of the current Covid-19 pandemic. But ease of staying in touch must not come at the expense of people’s data protection and privacy rights."

The letter urges VC companies to review thinking on key privacy questions via privacy impact assessments, with the authorities expecting organisations to consult with privacy regulators to explain specific risks and to work through potential solutions. 
The letter continues: “During the current pandemic we have observed some worrying reports of security flaws in VTC products purportedly leading to unauthorised access to accounts, shared files, and calls. 

“In a world of global conversations, with personal information and private communications passing through many countries, we believe VTC providers should have certain security safeguards in place as standard, which would generally include: effective end-to-end encryption for all data communicated, two-factor authentication and strong passwords. Such security measures should be given extra consideration by organisations who provide VTC services for sectors that routinely process sensitive information, such as hospitals providing remote medical consultations and online therapists, or where the VTC platform allows sharing of files and other media, in addition to the video/audio feed.

“We welcome responses to this open letter from VTC companies, by 30 September 2020, to demonstrate how they are taking these principles into account in the design and delivery of their services. Responses will be shared amongst the joint signatories to this letter.”
 

Article Categories