Zoom: A lesson in why companies need to design with data protection laws in mind

A class action has been filed in the US against Zoom Video Communications, Facebook and LinkedIn for ‘eavesdropping’ by the defendants on the communications that passed between Zoom’s users’ devices and Zoom’s servers.

While the plaintiffs’ use of the term ‘eavesdropping’ may appear somewhat loaded given the facts pleaded, the suit nonetheless highlights further the risks that the surge in home-working brought about by COVID-19 have exposed us to and points to problems in how some businesses approach cyberlaw.

Among the claims in the suit is the allegation that services that Zoom integrated into its videoconferencing solution shared data on videoconference participants with LinkedIn, Facebook and others. These data were allegedly used for a variety of purposes, including to enable targeted marketing to participants and to surreptitiously provide personal information on participants, such as their LinkedIn data, to certain other Zoom users.

While the reach of the General Data Protection Regulation (GDPR) is not absolute, it protects the personal data of EU/EEA residents regardless of where the provider of a service they use is located (see Article 3). Therefore, while the non-EU/EEA plaintiffs in the US suit will not benefit from the GDPR’s protections, EU/EEA residents may have grounds to bring their own claims for the same purported failures where Zoom has unlawfully processed their personal data.

A fundamental principle of the GDPR is that the processing of personal data is unlawful unless one or more of six legal bases from Article 6(1) applies. These are (broadly speaking) that the processing is:

  1. performed on the basis of the user having given consent;
  2. necessary for the performance of a contract with the user;
  3. necessary for compliance with a legal obligation;
  4. necessary to protect the vital interests of the user or another person;
  5. necessary in the public interest;
  6. necessary for the legitimate interests of the controller, though this is subject to the interests and fundamental rights of the user.

Zoom’s privacy policy, prior to its recent updates, referred to several of these bases in a broad sense though provided only limited details on what personal data it captured on meeting participants, where these data came from and what these data were used for. Neither the privacy policy nor terms of service expressly disclosed that Zoom could secretly display meeting participants’ LinkedIn data to others or that meeting participants’ data might be communicated to LinkedIn or Facebook as alleged. While Zoom did note that some information might be shared with other meeting participants, this was largely framed as occurring when a participant shared messages and content in a meeting themselves.

In a UK-oriented assessment of the Zoom lawsuit, Zoom’s processing of users’ personal data in the ways alleged would appear to fall short of ‘fair and transparent’ processing as required by the GDPR. Indeed, if Zoom obtained personal data from LinkedIn about meeting participants or made such personal data available to other users then its privacy policy at the time could fall far short of the requirements of, for example, GDPR Article 14—to provide users with specific information about its use of data obtained from third parties.

In respect of its Facebook integration, from Zoom’s responses to the allegations it appears the company may not even have known that Facebook received the data in question. Zoom simply integrated the relevant feature from Facebook that led to the purported data breach for ‘convenience’. Yet while Zoom’s Facebook and LinkedIn features may have been convenient for some, on closer inspection they may have been unlawful—at least under the GDPR. Zoom’s comments in respect of its Facebook integration, however, shine a light on a problem in the relationship between cyber and the law more generally.

Many businesses integrate third-party features and services into their products, such as those available in Facebook’s software development kit (SDK), and their products are often more useful to us as a result. For example, when searching for an apartment on Airbnb, you will want to see where the apartment is. That is why Airbnb integrates maps. Those maps, however, come from Google. Airbnb has to provide something to Google so that Google knows what map to show you, and data (for example, an address) is thereby exchanged between Airbnb and Google when you view a property listing. When it comes to placing your reservation, it may be more convenient to login to Airbnb using your Facebook login than to create another online account. However, that Facebook login feature also requires data to be exchanged between otherwise unrelated companies, as Airbnb has to get your name and contact details from Facebook to complete the reservation. Each of these integrations creates the risk of an unlawful data breach if it is not properly managed, yet often the connections between a company’s designers/developers and its lawyers are weak and such risks may not be identified.

Under the GDPR, the protection of a natural person in relation to the processing of their personal data has become a fundamental right. If a company processes the personal data of EU/EEA residents, one or more of the six GDPR lawful bases of processing needs to be designed in to its services to protect it from legal action. As the legal challenges Zoom faces should make clear, businesses may already be processing personal data in ways that they have not fully considered the legal implications of and perhaps are not even aware of.

Zoom has changed some of its business practices in response to recent criticisms and has revised its terms of service and privacy policy “to be more clear, explicit, and transparent”. The outcomes of the lawsuits it faces may in time permit a more complete assessment of its transparency claim. However, as home-working during the pandemic drives the uptake of more online tools and services, providers of such online solutions are advised to brush up on their responsibilities and obligations under data protection laws.

First published by From Counsel, April 2020.

Paul Schwartfeger on 27 April 2020