Announcement

Observations following global initiative on privacy expectations for video teleconferencing companies

October 27, 2021

The Office of the Privacy Commissioner of Canada and five of its international data protection and privacy counterparts have concluded a dialogue with video teleconferencing services aimed at ensuring good privacy practices.

The joint engagement was launched last year with an open letter to video teleconferencing (VTC) companies. The letter recognized the value of video teleconferencing in keeping people connected, and set out concerns about whether privacy safeguards were keeping pace during a global pandemic that saw a dramatic increase in the use of such services. The joint signatories set out principles to guide companies in addressing some key privacy risks.

The letter was sent directly to Microsoft, Cisco, Zoom, Houseparty and Google. All but Houseparty responded and participated in a series of video calls. In September, Houseparty announced that for business reasons it would cease offering its VTC service.

At the conclusion of these engagements, the joint signatories are issuing an observations document outlining key takeaways – namely what good practices are taking place and where there may be opportunities for improvement.

The companies highlighted measures, processes and safeguards that mitigate privacy risks and take into account the privacy principles laid out in the open letter.

The joint signatories recognized several areas of good practice in the approaches explained to our Offices by these companies including, security, privacy-by-design and default, meeting the privacy needs of their audience, transparency and end-user control.

Good practices included regular privacy and security training for employees, privacy protective default settings for the use of video and microphone, and layered privacy notices.

These good practices relate solely to what was reported as part of this engagement exercise, which was not a formal investigation. Additionally, while companies described some features relating to the use of their VTC platforms in specific contexts, like for telehealth or distance education purposes, the exercise did not examine these aspects in detail. Therefore, comments and observations relate to general public use of VTC platforms and do not generally address their use for the sharing of sensitive information.

The joint signatories also made several recommendations about the use of end-to-end encryption, the need to provide clear information on the use of personal information for secondary purposes and the importance of implementing measures to ensure that information is adequately protected when shared with outside parties, including those located in foreign jurisdictions.