Data protection authorities set out expectations in open letter to VTC companies

On 22 July 2020, data protection authorities from Australia, Canada, Gibraltar, Hong Kong, Switzerland and United Kingdom (together the Authorities), issued an open letter (Letter) on global privacy expectations of video teleconferencing companies (VTC companies)[1].

Why there is such a Letter?

As a result of the COVID-19 pandemic, the Authorities have witnessed an increasing use of VTC tools, both in social and business contexts. In the Letter, the Authorities provided VTC companies principles to help them identify and address some of the privacy concerns, which were reported in the media as well as made directly to them.

The Authorities were brought together through the Global Privacy Assembly (GPA)’s International Enforcement Cooperation Working Group (IECWG) to issue this Letter to all VTC companies around the world. The Letter has also been sent directly to Microsoft, Cisco, Zoom, House Party and Google.

What does the Letter say?

The Letter sets out principles for VTC companies to address some of the key privacy risks in designing and delivering their services. We summarise the principles as below:

  • Security. VTC companies should have in place as standard certain security safeguards against cybersecurity risks and threats, which, as the Authorities pointed out in the Letter, would generally include effective end-to-end encryption for all data communicated, two-factor authentication and strong passwords. These security measures should be reviewed and updated routinely.
  • Privacy-by-design and default. In designing the platforms, VTC companies should make data protection and privacy integral to, and as a starting point of (as opposed to as an afterthought) their services and adopt the most privacy-friendly settings as default. For example, there could be features such as announcing new callers, setting audio / video feeds as mute on entry and enabling users to seek other users’ consent.
  • Know your audience. VTC companies should understand and review how platforms are being deployed by users, particularly when it comes to children, vulnerable groups, and contexts where discussions on calls are likely to be sensitive.
  • Transparency and fairness. VTC companies should pro-actively make users, in an easily accessible manner, aware of how their personal information will be used and ensure their use of personal information collected is fair and expected. VTC companies should obtain specific and informed consent when needed.
  • End-user control. As pointed out by the Authorities in the Letter, some novel features of VTC platforms “may raise the risk of covert or unexpected monitoring”. For example, in virtual classrooms, the teacher as the host may be allowed to track the attention of the end-users, i.e., the students. VTC companies should make sure the end-users have appropriate information and control of such features on their platforms.

VTC companies are invited to respond to the Letter by 30 September 2020, to demonstrate how they are taking the above principles into account in the design and delivery of their services.

What else can VTC companies refer to?

Back in May 2019, the Privacy Commissioner for Personal Data of Hong Kong and Singapore’s Personal Data Protection Commission have released a jointly-developed Guide to Data Protection by Design (DPbD) for ICT Systems (Guide)[2].

The Guide sets out DPbD principles to be applied to all phases of software development as well as existing information and communications technology (ICT) systems. It also recommends good data protection practices for ICT systems in detail, from creating online forms and testing to exporting data and retention of personal data in the system.

Conclusion

Concern for data privacy is growing as online communication tools are being used heavily as means of staying connected during COVID-19 lockdowns and border closures. While it is uncertain how long the current situation will last, the user base of VTC platforms will undoubtedly continue to expand, and data privacy will be an issue we must address adequately and promptly. VTC companies play a critical role in the development of new trends of communication, and should pay attention to their social, in some cases, legal responsibilities in data protection. Users of VTC platforms, whether businesses or individuals, should also be aware of their rights and obligations in dealing with their own and others’ personal information on the platforms.