Global Privacy Expectations of Video Teleconference Providers
Whilst the use of Video Teleconferencing (VTC) services isn’t novel or ground-breaking, we have seen an exponential growth in their usage across all sectors in the wake of COVID-19. Greater usage has resulted in increased sharing of personal information, which is particularly pertinent in the healthcare sector where that data relates to vulnerable people.
In light of this, an open letter has been published by six Authorities to all companies that provide VTC services, but has been sent directly to Microsoft, Zoom, Cisco, House Party and Google. Namely, the six Authorities are the Office of the Australian Information Commissioner, the Office of the Privacy Commissioner of Canada, the Gibraltar Regulatory Authority, the Hong Kong Privacy Commissioner for Personal Data, the Switzerland Federal Data Protection and Information Commissioner and the UK Information Commissioner’s Office.
The purpose of this letter is explain their key concerns in relation to the protection of privacy rights and establish the expectations they have of VTC companies to effectively mitigate these concerns, which will be discussed below:
Security
The constant evolution of cyber-threats means our current security measures are never far away from becoming outdated. This has been highlighted during the pandemic with multiple VTC products suffering from leaks of personal data due to their security being exposed.
As a result, Authorities expect VTC providers to ensure ‘adequate safeguards’ are in place to prevent unauthorised to this data access, including effective end-to-end encryption for all data communicated, two-factor authentication and strong passwords. They note that this is particularly relevant for organisations that provide VTC services for sectors that regularly process sensitive information.
Finally, the Authorities remind companies to remain constantly aware of new security risks and ensure their users have up-to-date patches and security upgrades.
Privacy-by-design and Default
The Authorities explain that data protection and privacy cannot be an afterthought in the design of VTC platforms as it will lead to falling short of the expectations users demand in upholding their rights. Instead, they require companies to take a ‘privacy by design’ approach and consider the ‘principle of least privilege’ by making privacy-friendly settings the default.
The letter provides tangible measures which will help companies achieve this, including: implementing strong access controls as default, clearly announcing new callers, setting video and/or audio feeds as mute on entry and minimising personal information of data captured, used and disclosed by your product to only that necessary to provide the service.
Know your Audience
As a result of Covid-19, VTC platforms are now used for an array of circumstances which could never have been anticipated. The letter demands that companies become aware of the variety of contexts for which their services are now used, whether it be children and education, or vulnerable people and healthcare. Once aware of all contexts for which your platform is used, companies are required to identify and implement appropriate measures accordingly.
Transparency and Fairness
As readers of this newsletter will be aware, there have been multiple high profile privacy breaches in recent years which has led to an increased awareness of how personal data is handled by organisations. The Authorities have highlighted that these obligations are no different for VTC platforms, and companies must inform data subjects what information you collect, how you use it, who you share it with amongst many other GDPR requirements.
They urge companies to consider how future updates to VTC platforms will affect their current data regime and ensure platform users are informed of these changes so they make informed decisions about how they use your platform accordingly.
End-User Controls
The Authorities point out that VTC platforms may ‘raise the risk of covert of unexpected monitoring’ in circumstances such as virtual schooling. To mitigate this risk, the Authorities require VTC providers to ensure all end-users are provided with appropriate information and controls relating to monitoring features. For example, introducing opt out mechanisms so that an end users can prevent the VTC platform from collecting location data or recording the transcript of calls etc.
Final Remarks
The Authorities appreciate that VTC companies ‘offer a valuable service’ by keeping us connected during the Covid-19 pandemic, but are clear in their message that the ‘ease of staying in touch must not come at the expense of people’s data protection and privacy rights’.
VTC companies are invited by the Authorities to respond to this open letter by the 30th September, to demonstrate how they are implementing the aforementioned principles in the design and delivery of their services.
Conclusions
VTC services have been subject to an exponential rise in popularity during Covid-19, and this rapidly increasing user base is showing no signs of slowing down as businesses adapt to managing a more digital workforce. Whilst this increased level of expectation on VTC companies may seem onerous, they will be key players in this new era of communication and must address data privacy adequately.
The open letter can be read in full here: https://ico.org.uk/media/about-the ico/documents/2618022/vtc-open-letter-20200721.pdf
Case Law Update
Software copyright infringement summary judgement application dismissed by the High Court
An interesting judgement has been handed down by Douglas Campbell QC in Oysterware Ltd v Intentor Ltd and others [2020].
Facts
The claimant supplied digital signage services to the defendant in the form of software, hardware and IT support. The agreement was later terminated and the claimant brought proceedings against the defendant for various claims including, copyright infringement.
The claimant alleged that the defendant copied the ‘design’ of the claimants product which was said to be a ‘single homogenous runtime image’ that comprised of coding owned by Microsoft, the claimant and other third parties. He also alleged the defendant changed the password and gained unauthorised access to the product.
The defendant claimed the product was merely a ‘general purpose computer with a Windows XP operating system’ and therefore the claimant owned no copyright in the operating system, and no copyright subsisted in the design of the ‘product’.
The Decision
The claimant’s application for a summary judgement on claim for copyright infringement against the defendant was refused by Douglas Campbell QC on the various grounds:
Subsistence
Whilst the claimant believed that copyright subsisted in the design of the product, the court struggled to understand what he was specifically referring to. Expert evidence suggested that the product could not be stripped back and judged compartmentally, but rather its design had to be considered as a whole. As the claimant’s argument relied on copyright subsisting in the ‘single homogenous runtime image’ alone, the courts looked unfavourably at the claimant’s plea. The expert evidence went on to state that what could be interpreted as ‘design’ depended on ‘skilled choices’ and was ‘a matter of opinion’.
Infringement
The question for the court was to determine whether the defendant had copied what conferred originality on the product. When assessing originality of the product, the defendant’s expert said that 70% of it lacked originality. Whilst the claimant deemed this irrelevant, it lead back the questions about the claimant failing to identify exactly what the product structure was, and indecision about what they were specifically trying to protect in the product.
Book Recommendation
The Road to Conscious Machines: The Story of AI – Michael Wooldridge
Michael Wooldridge has been researching AI since 1989, and was the President of the European Association for AI from 2014 to 2016. He has published over 400 articles on the topic, and is also a computer science researcher at the University of Oxford.
This book is an all-encompassing exploration into AI, from the highly detailed technical elements of design, to the highly debated social and ethical issues surrounding its existence. Through clear words he debunks common myths surrounding dystopian concepts of machines replacing humans.
For anyone who wishes to have a clear grasp of the past, present and future of AI, there is no better starting point than this book.