Our society is being shaped by the pandemic and companies in particular have to adapt to the new situation. Increasing digitization makes it possible for modern companies to hold customer visits via virtual conference rooms. Even after the pandemic, video conferencing tools will not disappear, as a high cost-benefit factor has been confirmed and lengthy field service appointments can also be carried out from your own office or home office.
But privacy advocates are sounding the alarm that not all conference tools are GDPR compliant. In most cases, the providers of virtual conference rooms are headquartered in the United States or in a third country outside the EU. The servers used, through which the conferences are held, are in most cases also located in these countries and therefore the GDPR no longer applies to them. Global players in particular, such as Microsoft, Google, Zoom and Facebook, which offer cloud and telecommunications services, only comply with the data protection guidelines that apply to the location server. This server data in particular is extremely interesting for secret services, the government and other companies, as the data it contains enables profiling and further data can be used for advertising purposes.
How is data protection between the USA and the EU to be assessed?
The so-called Privacy Shield Agreement existed between the USA and the EU between 2016 and 2020. This agreement regulates the use and transfer of personal data from persons from the EU member states. In this agreement, however, the data protection guidelines of the United States were classified as sufficient - a fallacy, as these guidelines are not sufficient for people from EU member states. US companies could refer to non-applicable data protection guidelines, while Germany has to orient itself to the particularly strict requirements. Even the GDPR (General Data Protection Regulation) from 2018 could not remedy this and the personal data of EU citizens remain practically unprotected. In 2020 the Privacy Shield Agreement was overturned and repealed by the European Court of Justice.
Data protection and the video conferencing tool Zoom
Zoom is a profit-oriented company, this should always be taken into account when using it. Conversely, this means that data protection is not the top priority and data security is sometimes treated as secondary. In the Zoom area, data protection is even sold to the customer through the paid accounts.
The pandemic has made Zoom better known and more popular in the EU, but data protection officers are concerned as improvements to security vulnerabilities have been neglected and Zoom has been classified as non-GDPR compliant. Security gaps ensured that over 500.000 metadata could be found in the Darknet and the content of conferences could be intercepted. A hostile attitude towards Zoom could even be recorded from a prominent position - Elon Musk and the FBI have banned the use of the tool from the company departments. MacOS and the iOS client are also said to have enabled data to be transferred to Facebook and webcams and local web servers were tapped, invisible to the user.
If you study the data protection information on the Zoom data center website, it will be noted that the company is located in the USA and is therefore also responsible for the Zoom website - this also includes all data processing. If you load the offered app, you should be reminded of the security deficiencies mentioned. If the user wants to work in the browser, only the basic functions are offered. User data is stored for at least one month upon registration. Whether the server is in Germany or the EU is of secondary importance, as the company Zoom generally processes the data in the USA.
How does Zoom process the data it collects and how does data protection work - an example
If the customer studies a few passages of text from the Zoom data center, one will come across some vague formulations that give an idea of the importance of data protection in the Zoom company.
According to Zoom, personal data that is collected and processed through participation in video conferences may not be transmitted to third parties. One exception, according to Zoom, is when the data is intended for distribution. In the following, Zoom notes that data from the conferences are also often intended for communication purposes and for passing on at the same time.
Such passages are rather unpopular with data protection workers, because on the one hand the data should not be transmitted, but on the other hand the tool should contain this functionality, since communication is usually desired. In a personal meeting you can share data with a limited group of participants, but Zoom even allows unknown conference participants to be added. This is where the data protection practice reaches its limits.
Zoom alternatives - how should conference tools be assessed in terms of data protection law?
In general it can be said that no tool offers complete data security. If you want to purchase or use a data protection-compliant solution, you should always observe a few criteria.
- Is it a trustworthy provider?
There is no general answer to this, but studying press reports gives you a good overview. If a provider has already become suspicious of data protection violations several times, it is not advisable to use a tool.
- Data security and encryption
Video, audio, screen sharing, connection data and metadata should always be transmitted in encrypted form. In this area, Webex is ahead of the Cisco company. Metadata encryption is also offered as a standard in the free version of Webex.
- The seat of the provider - an important criterion for data protection
Basically, you should rely on a provider who does business from the EU or the European Economic Area. The Demodesk and Teamviewer applications offer security here, as the company's headquarters are located in Germany.
- own server - best security
If you want to be on the safe side, hosting on your own servers is definitely the best choice. Although "on-premise solutions" are still ahead of the curve here, data protectionists recommend a "self-hosted" solution, such as those offered by Jitsi Meet and Nextcloud Talk.
Which video conferencing provider is recommended for data protection purposes?
Data protection authorities clearly recommend Jitsi Meet and Nextcloud Talk here. With these tools, data protection is given and the application runs on the customer's server. Unfortunately, there have been reports that Jitsi Meet does not offer optimal conference quality - a point where a willingness to compromise is required. Nextcloud Talk has difficulties with larger meetings and is therefore still in its infancy.
If you look at the data protection of the individual tools, you can roughly distinguish between four groups of providers:
- "Secure Leaders"
Unfortunately, this field is almost unoccupied so far. "Secure Leaders" should be able to demonstrate a high level of execution power and data protection. Cisco Webex is the only provider that comes closest to this group, but cannot fully score in terms of data protection.
- "Unsecure Leaders"
This group of providers can demonstrate a high level of user-friendliness and awareness. Here you can find providers such as Zoom, Microsoft Teams, Skype or GotoMeeting, but all of them have inadequate data protection.
- "Secure Visionaries"
If you value data protection, a company is in good hands with a "Secure Visionaires" provider. These providers do not yet have a high level of user acceptance and are rather unknown. This group includes Blizz, Jitsi, Nextcloud and Avaya Aura.
- "Niche Players"
A provider from the “Niche Players” group is not recommended for companies and government institutions. These providers cannot show any market penetration and also behave rather inadequately with regard to data protection. The provider Amazon Chime should be mentioned here.