Karlsruhe, 24 November 2020
Video conferencing & data protection – what’s the alternative to Zoom and Teams?
The German GDPR-compliant alfaview® video conferencing solution excels in terms of data protection and is already used by over 20,000 institutions with approximately 1 million users worldwide.
Multinational projects, international subsidiaries, employees working remotely – the working world demands creative solutions for efficient collaboration. More and more providers are therefore offering corporate video conferencing solutions. It is by now common knowledge that the protection of personal data does not always come first. Nevertheless, tools from US providers are often used due to a supposed lack of alternatives. But is this even allowed from a data protection point of view?
The underlying issue: adequate level of data protection
The European Union's General Data Protection Regulation (GDPR) states that personal data may in principle only be transferred to a third country if the country in question ensures an adequate level of protection for the data. This can be achieved either through adequacy decisions or through the use of standard clauses and additional guarantees by processors.
When using popular video conferencing solutions such as Zoom, GoToMeeting, Microsoft Teams or Skype, personal data of the users is sent to the USA and processed there. This can be data such as names, email addresses or location, but also the content of the video conference – i.e. what the participants communicate via audio, video or text. Until now, such data was transferable to the US on the basis of an adequacy decision, the EU-US Privacy Shield.
When using popular video conferencing solutions such as Zoom, GoToMeeting, Microsoft Teams or Skype, personal data of the users is sent to the USA and processed there. This can be data such as names, email addresses or location, but also the content of the video conference – i.e. what the participants communicate via audio, video or text. Until now, such data was transferable to the US on the basis of an adequacy decision, the EU-US Privacy Shield.
Schrems II judgment and its consequences
In Decision 2016/1250, the Schrems II judgment, the Court of Justice of the European Union (CJEU) declared the adequacy of the protection offered by the EU-US Privacy Shield to be insufficient, as the current US laws cannot ensure the adequate level of data protection. For example, intelligence agencies are allowed to access the data of non-US citizens without the data subjects being able to seek effective remedies. Due to the CJEU judgment, it has been established as of July 2020 that a transfer of personal data to the United States on the basis of the Privacy Shield is no longer permissible.
This decision concerns all public bodies and companies that transfer data to the United States, especially if this was previously performed under the Privacy Shield Agreement. In addition, public bodies and companies that transfer data to another third country are also concerned, unless the third country is covered by an adequacy decision under the GDPR. Currently, such decisions exist for Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay, but no longer for the United States.
As a result, a transfer of personal data from the EU to the United States is no longer possible in principle, except in a few specific situations. This is the opinion of all European data protection supervisory authorities, including the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg. In its guidelines, the State Commissioner for Data Protection and Freedom of Information points out that only such solutions may be used where there are no transfer issues. Otherwise, the data transfer will be prohibited by the State Commissioner for Data Protection and Freedom of Information and may result in fines and claims for damages.
This decision concerns all public bodies and companies that transfer data to the United States, especially if this was previously performed under the Privacy Shield Agreement. In addition, public bodies and companies that transfer data to another third country are also concerned, unless the third country is covered by an adequacy decision under the GDPR. Currently, such decisions exist for Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay, but no longer for the United States.
As a result, a transfer of personal data from the EU to the United States is no longer possible in principle, except in a few specific situations. This is the opinion of all European data protection supervisory authorities, including the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg. In its guidelines, the State Commissioner for Data Protection and Freedom of Information points out that only such solutions may be used where there are no transfer issues. Otherwise, the data transfer will be prohibited by the State Commissioner for Data Protection and Freedom of Information and may result in fines and claims for damages.
Lack of alternatives?
Does banning Zoom, Teams and GoToMeeting also mean abandoning video conferencing solutions? No, because there are GDPR-compliant providers of video conferencing solutions in the EU. For example, alfaview® from Karlsruhe, Germany is in no way inferior to Zoom in terms of functionality and stability - on the contrary - and also puts special emphasis on the protection of personal data. For the provision of services, only ISO 27001-certified data centres of companies based in Germany and the EU and thus within the GDPR area are used. Through the ISO certification of the data centres, the provider proves the high GDPR security standard. Video and audio streams are encrypted according to current standards (TLS/AES 256) and are not stored. In addition, the data processing agreement (DPA) and the technical-organisational measures (TOM) are publicly available on the company's website. alfaview® runs stably and without latencies on all common platforms, regardless of the number of participants. A browser-based solution is not used, since as soon as video conferences are held via a web browser, such as Google Chrome, Firefox, Safari or Edge, user-related data can be accessed via the browser.
Even though people are currently increasingly working remotely and communicating via videoconferencing tools again, this cannot be done with data protection concerns in mind. There are definitely alternatives "Made in the EU" that are worth taking a closer look at.
Even though people are currently increasingly working remotely and communicating via videoconferencing tools again, this cannot be done with data protection concerns in mind. There are definitely alternatives "Made in the EU" that are worth taking a closer look at.