On 23.10.2020, the Data Protection Conference (DSK) published a new guidance document. Among other things, it recommends that companies, public authorities and other organisations “carefully check” video conferencing services such as Zoom, Skype, GoToMeeting, Cisco WebEx or Microsoft Teams, which are based in the USA and process the data there, before using them.
This Recommendation is based on the decision of the European Court of Justice (ECJ) to annul EU-US Privacy Shields (we reported: Schrems II).
We had already previously recommended that this be critically examined despite the fact that an equivalent level of data protection still existed at the time (cf. Switch to video conferencing with professional secrecy in conformity with the law ). Now that the FDPIC has also withdrawn the equivalence, this applies all the more, see our contribution “EDÖB: Kein adäquates Datenschutzniveau für Daten aus der Schweiz”
According to DSK, large institutions, companies and public authorities should prefer to use self-operated open source software. This would have the advantages that the data would be processed “exactly as desired and […] that only the person responsible would be able to analyse and control the content and framework data of the systems. In addition, there would be no need for a contract processing contract and no agreement on joint responsibility.
DSK notes, however, that large and efficient institutions can be expected “to have sufficient technical and personnel capacities for operation and maintenance and to take appropriate technical and organisational measures to protect the data”, but that this can pose a personnel and technical challenge for smaller companies.
In a short test of video conferencing services conducted by the Berlin data protection authority in July 2020, the commercially available open source software Jitsi Meet from Netways or sichere-videokonferenz.de received very good test results.
A second option would be to have a videoconferencing system operated by a service provider according to their own ideas. Here DSK refers to the conclusion of an order processing contract under Article 28 (3) DS-GVO and stresses that the software offered must be examined for data outflows to the manufacturer and third parties.Another possibility is to use an existing online service. Here, the central configuration options, such as data flows and access rights, should be checked and, if necessary, adjusted. In addition, the “responsible person must check the contract processing contracts, terms of use and security certificates submitted by the processor and also his privacy policy”.