Date: 27 October 2021
The PCPD, together with Five Data Protection Authorities, Issues A Joint Statement on Global Privacy Expectations of Video Teleconferencing Companies
The Office of the Privacy Commissioner for Personal Data (PCPD), together with five data protection authorities from Australia, Canada, Gibraltar, Switzerland and the United Kingdom (hereafter referred to as “the Joint Signatories”), today published a joint statement (the Joint Statement) on global privacy expectations of video teleconferencing (VTC) companies.
The Joint Statement highlighted the good practices reported by the major VTC companies in safeguarding personal data when they provide their services, while reminding the VTC companies of the possible areas of further improvement.
The Privacy Commissioner for Personal Data, Ms Ada CHUNG Lai-ling said, “The Joint Statement is a concluding report on a series of engagement activities since July 2020 between the PCPD, together with five data protection authorities, and four of the biggest VTC companies, namely Cisco, Google, Microsoft and Zoom, that aimed to address the global privacy concerns arising from the sharp uptake in the use of video teleconferencing software during the COVID-19 pandemic.”
Through constructive dialogue, the Joint Signatories were able to identify several areas where the major VTC companies had implemented good practices to address privacy risks. For example:
Meanwhile, the Joint Signatories identified possible areas for the VTC companies to further improve their data protection practices. For example:
Security: regularly testing security measures to ensure that they remain robust against constantly evolving threats; relevant measures were put in place to enhance employees’ and third-party sub-processors’ understanding of and compliance with privacy requirements;
Privacy-by-design and default: having in place detailed privacy programmes within their organisations; using the most privacy protective settings as the default settings;
Know your audience: enhancing the privacy and security safeguards to suit more sensitive environments (e.g., education and healthcare); providing timely, relevant and tailored guidance to specific groups of users;
Transparency: keeping users informed about how and why their information is collected and used through different layers of notices; transparency about the sharing of personal information; and
End-user control: giving intuitive and clear meeting control options to users; mitigating the risk of making meeting information publicly available.
Making end-to-end encryption available to all users of VTC services and providing clear and easily understandable information to users about the different levels of encryption available;
Only processing users’ information for a secondary purpose if it is made clear explicitly to users; where secondary purposes include targeted advertising and/or the use of tracking cookies, they can only be used if users have expressly opted-in to such processing; and
Being fully transparent with users on the locations where data is stored; where possible, giving users the choice of which locations and jurisdictions their personal information is routed through and stored; and
Implementing protective measures when sharing information with third parties in foreign jurisdictions.
The Joint Signatories, including the PCPD, will continue to make themselves available to all VTC companies for any further engagement to support the maintenance and development of their services in a privacy protective, safe and trustworthy manner.
The Joint Statement can be downloaded here
In July 2020, the Joint Signatories signed and published an open letter
to major VTC companies reminding them of their obligations to comply with applicable laws and handle people’s personal data responsibly. The letter also provided the VTC companies with guiding principles to address key privacy risks. After some exchanges between the Joint Signatories and the VTC companies, the Joint Signatories conducted a series of virtual meetings with four VTC companies to obtain further information in April 2021.
This activity is an example of constructive engagement between the privacy regulatory community and the organisations we regulate. It has allowed the Joint Signatories to engage with some of the largest and fastest growing technology companies, whose services are used worldwide. It has also given those companies the opportunity to explain their approach to data protection and privacy through direct and practical interaction with a subset of the global privacy regulatory community representing citizens from jurisdictions across four continents.