M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was Originally posted on E-TIPS™ For Deeth Williams Wall LLP on November 10, 2021.
On October 27, 2021, the Office of the Privacy Commissioner of Canada (the OPC) released observations following a series of international engagements between data protection and privacy authorities around the world and four of the biggest video teleconferencing (VTC) companies: Microsoft, Cisco, Zoom, and Google (the Organizations).
Earlier this year, the OPC, along with privacy authorities from Australia, Gibraltar, Hong Kong SAR, China, Switzerland and the United Kingdom (the Joint Signatories), sent an open letter to several VTC companies commenting on the rapid recent expansion of VTC services and highlighting their concerns about whether the companies were implementing appropriate privacy safeguards in their platforms. The Organizations responded to the Joint Signatories’ open letter and described how they account for privacy principles in the design and development of their VTC services. This initial response led to a series of video calls between the Joint Signatories and the Organizations to discuss how the Organizations implement, monitor, and validate their privacy and security measures.
In its observations, the OPC discusses key areas that the Joint Signatories recognized as examples of good practice and recommended for adoption by the broader VTC industry. These areas include:
- security, such as implementing a regular security testing schedule and ensuring employees and third-party sub-processors comply with privacy obligations;
- privacy-by-design by adopting an overarching privacy program and placing all VTC settings at the most privacy protective by default;
- audience-specific resources, including providing enhanced VTC safeguard features for parties that share sensitive information and custom-guidance documents to assist different groups to choose the VTC settings that suit them;
- transparency through the use of layered notices and informing users of any sharing of their information with third parties; and
- end-user control to enable VTC customers to decide what information they share when accessing VTC services and provide alerts when there is a danger that meeting information may become publicly available.
In addition to recognizing good practices, the Joint Signatures also identified the following areas for improvement:
- making end-to-end encryption available to users;
- clearly identifying any secondary use of users’ data and providing an option for users to opt-in to such processing; and
- informing users and, if possible, providing them with the option to choose their data storage location and jurisdictions in which their personal information may be routed through by the VTC company.
Based on the success of the Joint Signatories’ discussions with the Organizations, the Joint Signatories expressed that the engagement process used in this instance may prove valuable in future circumstances where dialogue would assist in clarifying regulatory obligations, identifying good practices, and increasing public trust in emerging technologies.