Zoom has announced a slew of data privacy features, developed in collaboration with the Dutch education and research organization SURF, for its European customers.
The key element is the option for European Economic Area (EEA) data storage. Paid customers will be able to specify certain data for meetings, webinars, and team chat to be stored within the EEA. “This data will only be shared with US teams in individual cases and exceptional circumstances, such as with Zoom’s Trust & Safety team,” says the announcement.
Associated with this is a new European support team. “All support information will be processed within the EEA by local employees during normal business hours,” says Zoom.
A second important announcement is the availability of a tool to facilitate data subject access requests (DSAR). This allows, says Zoom, “administrators to easily reply to data subject requests for access or deletion of their personal data for Zoom Meetings, Webinars, and Team Chat.” This facility is an important part of GDPR and CCPA compliance, and relevant because the meeting organizer is the data controller for the meeting.
Personal data is any data that can be used to identify a user (such as a display name or email address). “Zoom’s Data Subject Access Request tool can delete personal data that customers have access to that is not part of any recordings or other content,” Zoom told SecurityWeek.
“Zoom’s tool does not delete personal data within any recordings or other communication content that a host records that is hosted by Zoom,” continued the spokesperson. “Zoom maintains a separate feature for meeting hosts to manage recordings for local records – because those recordings are held on a local device, Zoom has no ability to delete them.”
It is important to note that Zoom is providing enhanced privacy features where it can for paid customers. But it cannot guarantee privacy for the communications content since this may be recorded by an attendee and stored anywhere outside of Zoom’s reach.
Furthermore, said the spokesperson, “It’s also worth noting that the host account is the ‘data controller’ for the meetings. If you’re a European user joining a meeting hosted in the US, any data collected or shared in those meetings will follow the host account.”
Despite the limitations to what it can achieve, SURF is happy with the outcome. “We are pleased with the adjustments Zoom has made to its software as a result of our collaboration,” said Jet de Ranitz, CEO and chairperson of SURF’s board of directors. “With Zoom’s new privacy features and recent modifications, the company has showcased a commitment to European privacy standards.”
But privacy remains a complex issue for Zoom meetings. The firm is enhancing privacy options where it can for its paid subscribers – but meeting attendees must remain aware that the privacy of what they say at such meetings cannot be guaranteed.
And the potential effect of the UK’s Online Privacy Bill and EU moves toward similar ‘bans’ on end-to-end encryption (E2EE) remains to be seen. Zoom has an E2EE option, but European governments are demanding that law enforcement should have access to plaintext (which means it would no longer be E2EE). If these moves become law in Europe, the concept of privacy becomes moot.
SecurityWeek asked Zoom for its position. It replied, “Zoom is committed to providing robust global data and privacy protections, and seeks to comply with all applicable regulations in the jurisdictions in which it operates. We are waiting to see the final text of the proposed regulations and remain committed to supporting our users in the EU and UK.”
Related: Zoom Paid Out $3.9 Million in Bug Bounties in 2022
Related: Zoom Patches High Risk Flaws on Windows, MacOS Platforms
Related: Zoom for macOS Contains High-Risk Security Flaw
Related: Zoom Patches Serious macOS App Vulnerabilities Disclosed at DEF CON
