November 1, 2021
In July 2020, six data protection and privacy authorities from Australia, Canada, Gibraltar, Hong Kong SAR, China, Switzerland and the UK, jointly signed an open letter to video teleconferencing (VTC) companies. The letter highlighted concerns about whether privacy safeguards were keeping pace with the rapid increase in use of VTC services during the global pandemic and provided VTC companies with some guiding principles to address key privacy risks.
The joint signatories invited five of the biggest VTC companies to reply to the open letter, which set out five principles to help VTC companies identify and address some of the key privacy risks of their services. Microsoft, Google, Cisco and Zoom responded, setting out how they take the principles into account in the design and development of their VTC services and identifying various good practices employed in relation to each of the five principles. Following a review of the responses, the joint signatories further engaged with these companies to better understand the steps they take to implement, monitor, and validate the privacy and security measures put in place.
The joint signatories have now published their observations following this exercise. The five principles to which the VTC companies responded were:
- Security: covering regular testing of security measures and access to and handling of personal information by employees and third parties;
- Privacy-by-design and default: covering the adoption of overarching privacy programs and default settings;
- Know your audience: covering the use of enhanced features where discussions and shared information are sensitive, e.g. education and healthcare, and tailored privacy and security guidance for specific user groups;
- Transparency: covering “layered notices” whereby people are kept informed as to how and why their information is collected and used via a “layered” approach, i.e. the use of multiple notices at different points of the user experience, and how personal information is shared with third parties; and
- End-user control: covering the provision of intuitive and clear controls for users’ interaction with VTC services and alerts as to what information is collected, and risk management, i.e. mitigating the risk of meeting participants unknowingly putting the privacy and security of other participants at risk by making information publicly available via social media.
Through their engagement with the VTC companies, the joint signatories also identified opportunities to further enhance or improve the VTC companies’ use of:
- personal information for secondary purposes; and
- data centres.
The joint signatories say that this is an example of constructive engagement between the privacy regulatory community and the organisations they regulate. They recommend that this model be replicated where emerging issues would benefit from open dialogue to help set out regulatory expectations, clarify understanding, identify good practice, and foster public trust in innovative technologies. To read the joint statement in full and for a link to the observations, click here.