Skip to content

Media Statements

Media Statement - Zoom Data Security Incident

Date:1 April 2020

Zoom Data Security Incident

The Privacy Commissioner for Personal Data, Hong Kong, Mr Stephen Kai-yi WONG noted that overseas users of Zoom, including governments, have been warned about the risks of the use of the app. Before the privacy issues are clarified and rectified, and should the users not be sure about the related data security, the Privacy Commissioner will echo the same warning.
The Privacy Commissioner learnt from media reports that Zoom had transferred certain data of users using iOS mobile apps to Facebook. Zoom has made a public response, stating that customers’ privacy is incredibly important to them, and the iOS mobile app has been updated to disable the transfer function.
The Privacy Commissioner considers it a good practice for enterprises to take timely remedial measures when they find that their products are vulnerable in terms of data security.
The Privacy Commissioner recommends that if users still choose to use Zoom:
  • the mobile app must be updated to the latest version;
  • sign in with an account specifically created for Zoom and avoid logging in with other existing accounts whenever possible to reduce the risk of personal data being transferred or leaked;
  • set a password for the meeting which ( as well as its link) should be given to participants of the meeting only.;
  • keep a close watch of any unusual activity on the account; and
  • document any damage incurred to facilitate any necessary follow-up action.
The Privacy Commissioner has been advocating the adoption of “Privacy by Design” and “Privacy by Default” as core considerations of enterprises, and that third-party vendors and partners should also conduct Privacy Impact Assessment to nip risks in the bud.
The Privacy Commissioner and Singapore’s Personal Data Protection Commission have released a jointly-developed Guide to Data Protection by Design (DPbD) for ICT Systems. The Guide encourages enterprises to take into account data protection when developing ICT systems from the onset. The Guide assists enterprises in applying DPbD principles by offering practical guidance for all phases of software development and good practices for data protection for ICT systems.
The Guide can be downloaded from the following link:
On privacy issues arising from COVID-19, the Privacy Commissioner has issued four other guidelines: