Data Risk Intelligence
Automated Data Mapping
Do Not Sell/Do Not Share
Cookie Banner Solutions
Consent & Preferences
Data Rights RequestsZoom gets DPIA approval from some EU universities …but with strict conditions
Zoom video conferencing platform had a rough go of privacy rectification and compliance after their 2020 Zoom data breach. Due to the COVID-19 pandemic, Zoom experienced a huge user uptick from educators, schools, and universities. Increased usage also uncovered severe security issues, like widely broadcast meeting room credentials due to insufficient detective and preventative security controls. Zoom lost over 500 million usernames and passwords throughout their user base, and thus many organizations banned Zoom as an acceptable communications platform.
The Zoom data leak had multiple damaging impacts:
- Financial: Many organizations banned Zoom as a communications platform, resulting in direct lowered revenues for monthly subscriptions.
- Operational: Increased time and effort taken to reset user details. Zoom instituted new security controls for meetings, including new password requirements.
- Compliance: The Impact incurred an $85 million fine to settle it’s violated user privacy. In addition, Zoom agreed to provide privacy and data handling training for employees and to implement a slate of new security measures.
- Reputational: Zoom suffered negative publicity based on verbiage and visuals presented. Multiple organizations banned Zoom meetings due to noticeable impacts on the general public.
However, since this catastrophic incident, Zoom has had some redemption. They have made a huge effort since the incident to become a Privacy by Design organization. Zoom not only offers the users end-to-end-encryption (E2EE) on all chats and meetings. Zoom has also made a commitment to process all personal data (such as account, diagnostic and support) exclusively in European data centers by the end of the year.
Netherlands gives Zoom a low-risk rating
In March of 2022, the Netherlands gave Zoom the nod of approval. SURF, the purchasing organization for Netherlands’ universities, was commissioned and performed a Data Protection Impact Assessment (DPIA) and by May of 2021 concluded that there were risks. Risks still remain, but March’s DPIA gave universities the green light with a statement that “universities and government organizations can mitigate these risks themselves.”
Zoom is upfront about some of the risks still present, however low risk. Those risks include access to content data by US authorities roughly every two years, which is mitigated through E2EE, pseudonymous names, and prohibiting use of identifying data in rooms or topic names. The DPIA also warns users that E2EE is technically not possible when using Zoom via the browser, and users are forfeiting their own security.
DPA of the German State of Hesse has approved Zoom for its universities
Germany’s Hessian Commissioner for Data Protection and Freedom of Information (HBDI) has issued the “Hessian model” and confirmed that Zoom can be used for courses at Hessian universities if they take appropriate measures.
1. EU-based intermediary processors. University must use an intermediary processor registered and located in the European Union to handle installation, configuration, and operation.
2. Pseudonymization and technical measures. like user identities and deactivations.
3. End-to-End Encryption must be activated. Keys created a distributed by the university Zoom client and not directly from Zoom.
4. Virtual Private Network. The university must offer members VPN access that is suitable for preventing personally identifiable IP addresses to Zoom.
5. Restriction regarding use. Zoom can only be used for courses and restrict all personal use.
6. Sufficient information provided to participants and users about the measures they can take to protect their informational self-determination.
With Clarip’s Privacy Impact Assessments, Privacy Intelligence Dashboard, Rules Engine, Vendor Monitor, and Reports Dashboard, we can help you uncover and mitigate data risks. Clarip takes enterprise privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust! Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.
Email Now:
Mike Mango, VP of Sales
mmango@clarip.com
