Insights Header image
Insights Header image
Insights Header image

Global Privacy Authorities Remind Video Teleconferencing Companies of Privacy Expectations

July 29, 2020 Privacy Law Bulletin 3 minute read

On July 21, 2020, the Office of the Privacy Commissioner of Canada (the “OPC”) published a letter, along with privacy authorities from across the globe, to remind video teleconferencing (“VTC”) companies of their obligations regarding user’s privacy.[1] Their goal is to provide companies with principles which can help them identify and address privacy risks and better protect the personal information of users. As stated in the letter, “the ease of staying in touch must not come at the expense of people’s data protection and privacy rights.”

VTC services have experienced a massive surge in demand during the COVID-19 pandemic, with a record 62 million downloads during the week of March 14th.[2] This was an increase of 90% from the average downloads in the previous year, and is being seen across several popular VTC services.[3] Uses range from education or work-relation to social purposes, all of which pose particular privacy concerns.

Zoom faced significant media attention following the rise of “Zoom bombers” – uninvited individuals who would interrupt calls.[4] In March, the FBI warned schools against the risk of online classroom hijacking following a number of reports of VTC services being interrupted by inappropriate content.[5] The OPC shared a number of guidelines for users to protect their privacy while using VTC services, but are now turning to the VTC companies themselves to protect the privacy of their users.[6]

The letter sets out a non-exhaustive list of data protection and privacy principles to guide the actions taken by VTC companies to safeguard private information and mitigate risks:

1. Security

With the increasing use of VTC and evolving state of cyber-security threats, data security is a principal responsibly of any VTC company. Increasing reports of security flaws which have led to unauthorized access to accounts, shared files and calls create a worrying trend. Security measures such as end-to-end encryption, two-factor authentication and passwords should be give additional consideration, and regular upgrades should be provided to address new security risks. This is particularly true where information is being processed by third parties and across international borders.

2. Privacy-by-design and default

Privacy should be more than an afterthought – it should be an integral portion of the VTC service design. The most privacy-friendly settings, such as strong access controls and clearly announcing new callers, should be adopted as the default settings. This also includes minimising the personal information captured, used and disclosed to only the data necessary to provide the service.

3. Know your audience

The rising use of VTC services amid the COVID-19 pandemic has led to VTC being used outside of the context they were designed for. VTC companies should consider how they are currently being used and what new risks this involves, such as in healthcare and education.

4. Transparency and fairness

There is a heightened awareness of how companies handle personal information, and increasing expectations regarding use and disclosure. VTC companies should be honest with what information is collected and how it is being used. They should also ensure users are aware of any changes to the platform which may impact their privacy. This information should be easily accessible and consent is informed where it is required.

5. End-user control

VTC companies should be aware that end users may have little choice about the VTC services they are using, such as in their school or workplace. The service may allow for host capabilities such as collecting location data and creating transcripts of calls. VTC companies should ensure that end users should have appropriate information and control, and provide them the same level of honest communication and transparency they do with the host.

These principles are intended to not only ensure compliance with data protection and privacy laws, but also built trust and confidence of VTC users. The letter also reminds VTC companies that they are expected to consult with privacy regulators regarding any risks or issues which arise. In addition, they are welcoming responses from VTC companies to demonstrate how they are applying these principles to their design and delivery. It is unclear if these responses will be made available to the public.

If you have any questions relating to your privacy program or use of VTCs, please do not hesitate to contact a member of our Privacy and Data Protection Group.

By Grace Shaw and Kristen Shaw (Summer Student)

[1] Office of the Privacy Commissioner of Canada. Joint statement on global privacy expectations of Video Teleconferencing companies
[2] “COVID-19 Outbreak: Video Conferencing Demand Rises due to Social-Distancing” (7 May 2020) online: Businesswire
[3] Lexi Sydow, “Video Conferencing Apps Surge from Coronavirus Impact” (30 March 2020) online: App Annie
[4] Kate O’Flaherty, “Beware Zoom Users: Here’s How People Can ‘Zoom-Bomb’ Your Chat” (27 March 2020) online: Forbes
[5] FBI Boston, FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic (30 March 2020), online: Federal Bureau of Investigation
[6] OPC Blogger, “Privacy Tech-Know blog: Videoconferencing – Maintain your physical distance, but keep your personal information close” (1 May 2020), online: Office of the Privacy Commissioner of Canada

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2020

Insights (5 Posts)View More

Featured Insight

Transformative Change: Your Guide to Canada’s Breathtaking Competition Act Changes

We provide a summary of far-reaching Competition Act amendments proposed in 2023.

Read More
Dec 5, 2023
Featured Insight

Class Actions May Now Be Easier to Defeat in Ontario

It is now clear: the revised preferability analysis under the amended Class Proceedings Act is a strict, more onerous hurdle for plaintiffs to satisfy.

Read More
Dec 4, 2023
Featured Insight

R. vs Greater Sudbury Webinar

Following a brief overview of the case and the SCC’s split decision, this discussion will focus on the implications of the decision to the roles and responsibilities of each project party, including the owner, contractor and design consultant (architect and engineer). The discussion will be interactive and will include an extensive Q&A period.

Wednesday, December 13, 2023
Featured Insight

Client Alert – Certain Canadian Corporations May Be Subject to US Corporate Transparency Act Reporting Requirements

Certain Canadian Corporations Conducting Business in the United States May Be Subject to US Corporate Transparency Act Reporting Requirements

Read More
Nov 29, 2023
Featured Insight

Could it be True? Canada to Introduce Open Banking Legislation

On November 21, 2023, the Government of Canada released its 2023 Fall Economic Statement. The Economic Statement announced the federal government's intention.

Read More
Nov 29, 2023