Six of the world’s privacy commissioners have signed an open letter asking video teleconferencing companies to be mindful of their obligations to comply with the law and handle people’s information responsibly.
The open letter is signed by six authorities brought together through the Global Privacy Assembly’s International Enforcement Cooperation Working Group: The Office of the Australian Information Commissioner (OAIC), the Office of the Privacy Commissioner of Canada, the Gibraltar Regulatory Authority, the Hong Kong Privacy Commissioner for Personal Data, the Switzerland Federal Data Protection and Information Commissioner, and the UK Information Commissioner’s Office.
In the wake of the COVID-19 pandemic, there’s been a sharp increase in the use of video conferencing platforms not just to stay connected to friends and family, but for business purposes and telehealth.
The group said that media reports, as well as concerns raised directly to each member in their respective jurisdictions, indicate the realisation of these risks in some cases.
“This has given us cause for concern as to whether the safeguards and measures put in place by VTC companies are keeping pace with the rapidly increasing risk profile of the personal information they process,” they wrote.
The document provides video teleconferencing companies (VTCs) with five principles to consider across security, privacy by design, knowledge of their audience, transparency and fairness, and end-user control.
“Your organisation should remain constantly aware of new security risks and threats to the VTC platform and be agile in your response to them. We would anticipate that you routinely require users of your platform to upgrade the version of the app they have installed, to ensure that they are up-to-date with the latest patches and security upgrades,” the letter says, under the header of security.
“Particular attention should also be paid to ensuring that information is adequately protected when processed by third-parties, including in other countries.”
The letter also calls for VTC companies to ensure they take a privacy-by-design approach to their service, which includes implementing features that allow business users to comply with their own privacy obligations, as well as to minimise the personal information or data captured, used, and disclosed by the product to only that necessary to provide the service.
With the group noting COVID-19 has meant platforms and services are being used differently to how they were intended, the letter asks that companies review and determine the new and different environments and users of its platform.
“This is particularly important when it comes to children, vulnerable groups, and contexts where discussions on calls are likely to be especially sensitive (in education and healthcare for example), or when operating in jurisdictions where human rights and civil liberty issues might create additional risk to individuals engaging with the platform,” the letter continues.
Under transparency and fairness, the letter reminds VTCs that failing to tell users how their information is used, and not considering whether what a company is doing is expected and fair, may lead to a violation of the law and of the trust of users.
“You should be up-front about what information you collect, how you use it, who you share it with (including processors in other countries), and why — even if you do not consider the collection, use or sharing of that information to be particularly significant yourself, it is still important that its use is honestly communicated to the customer at all times,” they wrote.
The group also asks that VTCs give as much end-user control over privacy and information collection as possible.
While the letter is for all video conferencing companies, it has also been sent directly to Microsoft, Cisco, Zoom, House Party, and Google. The group is seeking responses to its letter from VTC companies by 30 September 2020.