In July 2020, six data protection and privacy authorities from Australia, Canada,  Gibraltar, Hong Kong SAR, China, Switzerland and the United Kingdom jointly signed an open letter to video teleconferencing (VTC) companies. 

A statement from the GRA follows below:

In July 2020, six data protection and privacy authorities from Australia, Canada,  Gibraltar, Hong Kong SAR, China, Switzerland and the United Kingdom jointly signed  an open letter (https://www.gra.gi/data-protection/press-releases/open-letter-to video-teleconferencing-companies) to video teleconferencing (VTC) companies. The  letter highlighted concerns about whether privacy safeguards were keeping pace with  the rapid increase in use of VTC services during the global pandemic, and provided  VTC companies with some guiding principles to address key privacy risks. 

The joint signatories invited five of the biggest VTC companies to reply to the letter.  Microsoft, Google, Cisco and Zoom responded, setting out how they take the principles  into account in the design and development of their VTC services. Following a review  of the responses, the joint signatories further engaged with these companies in a series  of video calls, to better understand the steps they take to implement, monitor, and  validate the privacy and security measures put in place. 

The joint signatories also sent the open letter directly to Houseparty but did not receive  a response. In December 2020 and January 2021, the joint signatories encouraged  Houseparty to engage with them, including via a press release  (https://www.gra.gi/data-protection/press-releases/expectations-of-videoteleconferencing-companies). To date, the group of joint signatories has not received  contact from Houseparty. However, Houseparty has engaged directly with the UK  Information Commissioner’s Office as part of enquiries separate to those of the joint  signatories and provided detailed responses to these enquiries. The UK Information  Commissioner’s Office recommended certain steps to Houseparty to improve  compliance with the General Data Protection Regulation. However, in any event, in  September of 2021, Houseparty announced that for business reasons it had already  decided that it would cease offering its VTC service. 

What we learned 

Constructive engagement 

This activity is an example of constructive engagement between the privacy regulatory  community and the organisations we regulate.  

It has allowed the joint signatories to engage, in a coordinated manner and with a  uniform voice, with some of the largest and fastest growing technology companies,  whose services are used worldwide. It has also given those companies the opportunity  to explain their approach to data protection and privacy through direct and practical  interaction with a subset of the global privacy regulatory community representing  citizens from jurisdictions across four continents. 

The dialogue between VTC companies and data protection authorities has proven  effective, efficient and mutually beneficial. Moving forward, the joint signatories  highlight this model of engagement as valuable and replicable in circumstances where  emerging issues would benefit from open dialogue to help set out regulatory  expectations, clarify understanding, identify good practice, and foster public trust in  innovative technologies. 

Good practice 

The joint signatories set out five principles in the open letter to help VTC companies  identify and address some of the key privacy risks of their services. 

In their responses and subsequent engagement with the joint signatories, Microsoft,  Google, Cisco and Zoom highlighted, and in some cases demonstrated, measures,  processes and safeguards they implement that take account of the principles and  mitigate privacy risks. 

The joint signatories recognised several areas of good practice in the approaches  explained to our Offices by these companies. Some examples are summarised below  under each of the five principles set out in our open letter. We do so to proactively  and publicly communicate certain areas of good practice, and to recommend adoption  of these measures, and others, across the broader VTC industry.  

It is noted that such good practices will only be effective if faithfully implemented and  observed. In addition, the areas of good practice set out below relate solely to what  was reported to the joint signatories as part of this engagement exercise, noting that  the joint signatories did not formally investigate the VTC platforms. They are without  prejudice to any enquiries or investigations that each individual joint signatory may  have undertaken separate to this joint engagement activity. They also do not reflect  the privacy practices of Houseparty who did not take part in the engagement activity  with the joint signatories.  

Additionally, while Microsoft, Google, Cisco and Zoom described some features relating  to the use of their VTC platforms in specific contexts, like for telehealth or distance  education purposes, we did not examine nor discuss these aspects in detail. Therefore,  our comments and observations relate to general public use of VTC platforms and do  not generally address their use for the sharing of sensitive information.  

1. Security 

Testing – Regular testing of security measures is vital to ensure they remain  robust against constantly evolving threats. Various approaches to security testing  were reported, including: penetration tests; threat modelling; “bug bounty”  programs; independent audits; internationally recognised certification; and use of  open source code to enable third party scrutiny. The joint signatories recommend VTC companies take a comprehensive approach by overlaying several such  measures into an overall and recurrent security testing approach. 

Employees and third parties – It is important that employees and third-party  sub-processors understand and comply with their obligations around access to,  and handling of, personal information. Reported good practice examples of  relevant measures included: pre-employment checks; regular employee training on  privacy and security; vetting of third parties, including via vendor selection and  review committees; regular audits of third parties, including logging sub-processor  access to personal information; and a principle of least privilege approach to access  controls where employee access is limited to that required for their job functions. 

2. Privacy-by-design and default 

Privacy programs – Data protection and privacy cannot be bolted on as an  afterthought; for measures to work in practice they must be embedded. Detailed  privacy programs were reported as in place or under development, incorporating  various requirements in VTC services from concept to deployment, including:  completion of privacy impact assessments for all new VTC features; regular contact  between privacy, security and development teams; and adherence to the data  minimisation principle. The joint signatories recommend that all VTC companies  take a holistic approach to privacy by adopting an overarching privacy program or  framework within their organisation. 

Default settings – The joint signatories recommend that all VTCs place settings  for their service at the most privacy protective by default. We saw examples of this  in practice, such as: passwords required by default; virtual waiting rooms by  default; privacy protective default settings consistent in browser and app versions  of VTC services; and video and microphone off by default. 

3. Know your audience 

Enhanced features – Use of VTC services has sharply increased in contexts  where discussions and shared information are particularly sensitive, in education  and healthcare for example. VTC companies must ensure robust privacy and  security safeguards to adequately protect personal data in these more sensitive  environments. While this engagement did not fully explore the use of VTC  platforms in such contexts, some good practice examples reported to the joint  signatories included: teacher-controlled access to meetings; sole teacher control  of screen sharing functions; and secure screen sharing of health documents. 

Guidance – People and businesses are increasingly using VTC services for a wide  range of purposes. Tailored privacy and security guidance for specific groups is a  good practice to help ensure users are more confident using a VTC service and  selecting the settings and features most appropriate for them. The joint signatories  saw examples of custom-guidance such as: guidance and documentation for  teachers and school administrators; guidance and advice for parents; blogs for  users of popular laptop brands; and video tutorials for enterprise clients. 

4. Transparency

Layered notices – Keeping people informed about how and why their information  is collected and used is a key tenet of data protection and privacy regimes  worldwide. Good examples of providing such information to users via a ‘layered’  approach were reported to the joint signatories, including: detailed privacy notices  and dashboards delineating different categories of personal information collected;  privacy check-up features; contextual notices in advance of video calls; pop-up  written or audible notifications during calls, indicating instances of data collection  through recording or transcripts. 

Third parties – Increasingly, there is heightened awareness and concern amongst  businesses and consumers about how personal information is shared with third  parties and for what purposes. Users of VTC services must be clearly informed  about who their information will be shared with and why (there may be further  requirements in contexts, like telehealth or education, which involve the sharing of  sensitive information). Reported examples of good practice in this regard included:  privacy notices detailing categories of personal information shared, the contractors  with whom this is shared, and the reasons for them processing this information;  6-month notification periods prior to use of new third party processors; and  publication of transparency reports regarding law enforcement and government  requests for access to data. 

5. End-user control 

Meeting controls – It is important that users be given intuitive and clear controls  for their interaction with VTC services and that they are alerted to the information  about them that is collected. The joint signatories saw some good examples of  such controls in practice, including: ability to opt out of attendance or engagement  reports; virtual and blurred backgrounds; user consent prior to host unmuting  audio or activating video; and the ability to report a user for inappropriate conduct  (or ejection by hosts). 

Risk management – VTC users may unknowingly put the privacy and security of  other meeting participants at risk by making meeting information publicly available,  via social media posts for instance. Beyond educational material in guidance  products, the joint signatories noted some innovative approaches to mitigating this  risk, such as a tool to scan social media and alert meeting hosts of at-risk meetings,  encouraging them to secure the meeting or schedule a new one. 

Recommendations 

As well as areas of good practice, the joint signatories identified opportunities to  further enhance or improve some of the measures reported. These are set out below. 

As with the areas of good practice set out above, the opportunities highlighted here  relate solely to the learnings the joint signatories took from this engagement exercise.  They do not reflect, and are without prejudice to, any separate enquiries or  investigations that each individual joint signatory may have undertaken, or may  undertake in future. They also do not relate to the privacy practices of Houseparty  who were not part of the engagement activity with the joint signatories. 

1. Encryption

The joint signatories acknowledge the reported use by the VTC companies of  industry standard encryption as a minimum. They also welcome the  development or implementation of end-to-end encryption (where the meeting  host creates the key and only they and participants have access to it) in certain  circumstances. They recognise certain limitations on functionality that this can  pose, such as the inability for users to join by phone and the loss of  transcription, while also recognising that such limitations may be beneficial in  certain circumstances. 

To further enhance VTC companies’ approach to encryption, the joint  signatories recommend the following: 

• Making end-to-end encryption available to all users of VTC services  whether enterprise, consumer, paid, or free; including via development  and implementation of end-to-end encryption as an option in video calls  involving multiple participants; 
• the provision of clear and easily understandable information to users  about the different levels of security and relevant limitations of  ‘standard’ vs. end-to-end encryption; 
• more clearly signposted meeting controls and information to allow  meeting hosts and / or users to select their desired type of encryption,  and so meeting participants can easily see the type of encryption in use  in a meeting; and 
• the use of end-to-end encryption by default in sensitive one-on-one  settings, such as tele-health. 

2. Secondary use of data 

It is important that VTC services build trust with their users by only using  information about them in ways that they would reasonably expect. The joint  signatories recognise that many companies will only use personal information  to provide the core features required to operate their VTC service, and will not  retain it longer than necessary for that purpose. 

However, where personal information is used for secondary purposes, VTC  companies should explicitly make this clear to users with proactive, upfront,  and easily understandable messaging about what information is used and for  which purposes. 

Where secondary purposes include targeted advertising and/or the use of  tracking cookies, it is recommended that VTC companies only do this if users  have expressly opted-in to such processing. 

3. Data centres 

The location where data is held and how it travels across borders and around  the world are increasingly important considerations, particularly for enterprise  VTC customers looking to ensure appropriate levels of protection for personal  information.

Some positive steps were reported in this regard, and the joint signatories  recommend that all VTC companies: 

• be fully transparent with users on the locations where data is stored  and through which it is routed;  
• where possible, give users the choice of which locations and  jurisdictions their personal information is routed through and stored;  and 
• implement measures, contractual or others, to ensure that information  is adequately protected when shared with third parties, including in  foreign jurisdictions. 

What’s next 

Most people have found VTC services very useful during the current global health crisis.  For many, they have been a vital lifeline. Our dependence on, and general use of, VTC  services is likely to continue through the pandemic and after we emerge from it. 

High standards, robust measures, and best practices for privacy and security in the  VTC industry are important for the safe deployment of these services and the ongoing  trust of business and personal users. 

The joint signatories therefore thank Microsoft, Google, Cisco and Zoom for their  engagement and cooperation on this important matter. 

The joint signatories will continue to make themselves available to all VTC companies  for any further engagement to support the maintenance and development of their  services in a privacy protective, safe and trustworthy manner.