Microsoft Teams, Zoom, WebEx: Berlin authority warns against popular video systems
After an initial data protection audit, some video service providers have made improvements to their offerings. But the Berlin data protection commissioner still sees serious shortcomings.
The State Commissioner for Data Protection in Berlin (Germany), Maja Smoltczyk, advises against using leading video conferencing systems such as Microsoft Teams, Skype, Zoom, Google Meet, GoToMeeting, Teamviewer and Cisco WebEx. The reason is a retest of various offerings. After a number of services had already failed a test of data protection requirements last year, a new test of the major providers did not reveal any substantial improvement.
Smoltczyk said that she was pleased "that our comments had persuaded so many providers to improve their offerings, in some cases very significantly, in terms of data protection". There are now enough legally compliant services for a wide range of purposes that there is no reason to break data protection law for video conferencing.
However, if a provider with a "legally deficient" videoconferencing service is not moving, it is "urgently time to change," the authority chief stressed. "Convenience cannot justify the violation of fundamental rights."
In the audit report now published, there was virtually no change in the assessment of the leading video service providers. They were all given a "red light" by the authority. In these systems, "there are deficiencies that preclude the use of the service in accordance with the law, and their elimination will presumably require significant adjustments to business processes," according to the paper published Thursday.
The privacy issue weighs heavily as video conferencing has become commonplace in the Corona pandemic. In everyday professional life, it is commonplace to use the usual tools for communication. In many schools, it's a different story. The use of video services is not the free decision of the individual teacher, said Heinz-Peter Meidinger, president of the German Teachers' Association. The prerequisite, he said, is that the school has an appropriate license for software and that the necessary data protection is guaranteed. "So it's not permissible for a teacher to invite students to a Zoom session from home, for example."
The test gave a "green light" to commercially provided instances of the open-source Jitsi Meet software, such as the service from Netways or Sichere-videokonferenz.de. The Tixeo Cloud, BigBlueButton from Werk21 and Wire also received a positive verdict. Many schools use the learning platform "Moodle" and the video chat program "Big Blue Button" in the Corona period, but this often does not run smoothly.
In the case of the Cisco WebEx service, as provided via Deutsche Telekom, the data protection officers noted a deterioration. In the first audit, the provider had still been given a "yellow traffic light" - with the prospect that the elimination of the deficiencies would "probably be possible without significant adjustments to business processes and technology."
Permanent dispute with Microsoft
Now, however, the traffic light is set to "red". With regard to data traffic, for example, the authority criticized the fact that service providers were involved who were not approved as so-called subcontracted processors. In addition, "non-contractually stipulated data exports to third countries were identified" in the course of the data traffic audits. Specifically, this involves the transfer of personal data to the U.S. for billing purposes. In the case of 24/7 support, personal data could also be transferred to the U.S., but there was no legal basis for this.
Also rated "red" (originally "yellow") were free instances of Jitsi, which are provided by universities and the Chaos Computer Club, among others. As a rule, there was no order processing agreement in place here.
Among the state data protection commissioners, Smoltczyk made a name for herself as a critic of established video conferencing systems and initially published only negative checklists with criteria that ruled out the use of the systems. Companies such as Microsoft fought back against this.
The U.S. company also countered concerns by pointing out that video conferencing and telephony via Microsoft Teams and Skype for Business Online are always encrypted during transmission and are operated and secured according to the current state of the art. Both services could "also be used without restriction for sensitive conversations and content". The contractual agreements required under data protection law had also been concluded.
Fines of up to 20 million euros possible
The Berlin authority continues to see shortcomings in the implementation of the requirements of the General Data Protection Regulation (GDPR). While most of the changes in the data protection regulations for the Group's online services were positive, the authority said. "Nevertheless, one of the most important basic problems of the contract, that it is unclear and contradictory in many places, remains," the audit report by the data protection experts states.
For example, Microsoft reserves the right to process personal data that has actually been processed on behalf of the company for its own purposes. However, a legal basis for the associated disclosure of personal data by the data controller to Microsoft is "not apparent". In addition, the data protection notices "contain regulations in many places that contradict the minimum legal requirements".
Another criticism is that Microsoft reserves the right to process the commissioned data at any location where the company or its subcontractors are active, i.e. also in the USA. This is particularly explosive because the US intelligence services have extensive access to the data stored at US companies. This problem also affects Zoom, the online platform GoToMeeting and Google Meet, to which the Berlin data protection experts attest "inadmissible data exports".
At the latest since the European Court of Justice (ECJ) in July 2020 overturned the legal basis for the transfer of personal data of European citizens to the USA ("Privacy Shield") due to insufficient data protection, many US products violate the GDPR. Fines of up to 20 million euros are possible against companies that use the services anyway.
According to the Berlin supervisory authority, Microsoft has also undergone self-certification under the Privacy Shield. However, the EU Commission's adequacy decision in this regard has been declared invalid by the ECJ ruling. In addition, it was not evident that "sufficient additional measures" had been taken to compensate for the "inadequate level of data protection in the USA" in accordance with EU case law.
Expert: Despite concerns, controversial tools can be used
Würzburg IT expert Chan-jo Jun can understand the concerns of data protectionists, who distrust Microsoft and the American intelligence services, for example. "However, this is not a legal ban, but a matter of taste or conscience," the lawyer recently told the "Süddeutsche Zeitung." Schools could still use U.S. services, he said, but would have to take technical and organizational precautions. "So, for example, pseudonymize student data, encrypt it, choose European servers, delete completed homework at short notice and educate users."
Zoom now encrypts content end-to-end. According to the expert, the problem that metadata can still end up with a U.S. provider can be solved by avoiding personal metadata through pseudonyms and not using accounts. "It becomes more difficult if you also want to use functions on platforms like Teams that require a log-in and then also voluntary consent."
At Zoom, meanwhile, the data protection experts also found deficiencies in the order processing contract, as well as inadmissible restrictions on, for example, the obligation to delete data and control rights. At Google Meet, the audit revealed similar deficiencies. In the case of the TeamViewer video conferencing system, one negative aspect was that the provider reserved the right to process commissioned data for its own purposes.