Privacy obligations of video teleconference providers

Privacy obligations of video teleconference providers

Privacy obligations of video teleconference providers

As everyone is aware, the COVID-19 pandemic has led to an escalation in the use of video teleconferencing (VTC) for both social and business purposes. This in turn has resulted in a sharp increase in the volume of personal and sensitive information shared online, thus prompting concerns from privacy regulators as to the adequacy of data protection measures implemented by VTC providers.

On 22 July 2020, the Office of the Australian Information Commissioner (OAIC) published an open letter to companies providing VTC services. The letter was co-signed by five other data protection authorities – from Canada, Gibraltar, Hong Kong, Switzerland and the United Kingdom –  all of which had been brought together through the Global Privacy Assembly’s International Enforcement Cooperation Working Group.

The letter was directed at all video conferencing companies, but was sent directly to Microsoft, Cisco, Zoom, Houseparty and Google. The OAIC invited comment from VTC providers by 30 September 2020.

The purpose of the open letter was to clarify the regulators’ expectations of steps which VTC providers should be taking to mitigate privacy risks confronting users or, to the extent certain risks could not be mitigated, encourage discussion between VTC companies and privacy regulators as how specific situations might be addressed.

Against this background, the letter set out five guiding principles for VTC providers. As the letter observed, “ease of staying in touch must not come at the expense of people’s data protection and privacy rights”.

The five principles

1. Security

The letter noted that during the current COVID-19 pandemic, reports had emerged of security flaws in VTC products which enabled unauthorised access to accounts, shared files, and calls. VTC providers were urged to implement security measures such as effective end-to-end encryption for all data communicated, two-factor authentication and strong passwords. This was particularly the case where VTC services were provided in respect of activities which routinely involved the processing of sensitive information, such as remote medical consulting and online therapy. Users should be encouraged to upgrade the version of the VTC app which they had installed to ensure that they were up-to-date with the latest patches and security upgrades.

2. Privacy-by-design and default

The letter encouraged VTC providers to take a “privacy-by-design approach” to their service. In other words, privacy protection should be integral to the design of the VTC system. This should include creating privacy-conscious default settings, implementing features to facilitate the process of obtaining users’ consent, and minimising the amount of personal information captured, used or disclosed. Service providers were encouraged to undertake privacy impact assessments to ensure their personal information handling practices were consistent with legal requirements and individual expectations.

3. Know your audience

The letter referred to the fact that in the course of the COVID-19 pandemic, there were many examples of VTC platforms being deployed in contexts for which they were not originally designed. This had the potential to create new risks that an individual may not have anticipated prior to the current crisis. VTC providers were urged to review their environments for privacy weaknesses, and this was considered particularly important in the case of vulnerable users and sensitive contexts (such as education and healthcare), and also when operating in jurisdictions where human rights and civil liberty issues might create additional risks for individuals engaging with the platform.

4. Transparency and fairness

VTC providers were urged in the letter to remain mindful of basic privacy obligations. In the case of the collection of personal information in the Australian private sector, this would incorporate obligations of openness and transparency under Australian Privacy Principle 1, and lawfulness and fairness under Australian Privacy Principle 3. Providers should therefore ensure that users were made aware of how their personal information would be used, and they should further ensure that any such use was expected, fair and lawful. This information should “be provided pro-actively, be easily accessible and not simply buried in a privacy policy”. Consistent with the OAIC’s Australian Privacy Principles Guidelines, any consent required from a user for privacy purposes should be specific and informed.

5. End-user control

The letter noted that end-users would often have little choice about the use of a VTC service if a particular platform had been purchased, or was being exclusively utilised, in a given workplace, school or other setting. It was, therefore, important that any uncommon monitoring features be brought to the attention of users. If, for example, a VTC platform allowed the host to collect location data, track the engagement or attention of participants, or record or create transcripts of calls, this should be unambiguously notified to the end-users. VTC providers should consider whether an option could be made available for end-users not to share such information and still receive the basic service.

A broader context

Whilst the letter was directed at VTC providers, it raises issues of which all businesses should be aware when deploying VTC technology as a communications tool. Every business should remain aware of the privacy implications of their teleconferencing policy, ensure that users for whom they are responsible are fully informed as to any risks or vulnerabilities, and adjust their prevailing privacy practices accordingly.

The full text

The full text of the OAIC letter can be read here.

Next article Navigating privacy issues involving contact tracing data: A checklist for Australian businesses