In an open letter this week, six data protection and privacy regulators from around the world have asked video teleconferencing (VTC) organizations to focus on security and privacy-by-design.
The regulatory community, which is responsible for ensuring the privacy of individuals worldwide, is concerned that the increased use of video conferencing solutions as a result of the COVID-19 pandemic has heightened the risks associated with the handling of personal information by VTC companies, and has created additional risks as well.
“Reports in the media, and directly to us as privacy enforcement authorities, indicate the realization of these risks in some cases. This has given us cause for concern as to whether the safeguards and measures put in place by VTC companies are keeping pace with the rapidly increasing risk profile of the personal information they process,” the letter reads.
In addition to voicing their concerns, the privacy watchdogs detailed their expectations regarding the manner in which video conferencing companies are expected to mitigate said risks, as well as the steps they should take to ensure they secure the personal information of users.
The regulators also encourage VTC companies to identify and address other data protection and privacy issues associated with their services, and regularly review their stance on privacy and even work with regulators to mitigate risks that they cannot resolve.
“During the current pandemic we have observed some worrying reports of security flaws in VTC products purportedly leading to unauthorized access to accounts, shared files, and calls,” the letter reads.
VTC companies should ensure that their solutions include security safeguards by default, such as effective end-to-end encryption and two-factor authentication, and that they demand strong passwords. Those offering VTC services to sectors that process sensitive information should focus the most on these security measures.
“Particular attention should also be paid to ensuring that information is adequately protected when processed by third-parties, including in other countries,” the letter reads.
VTC companies have also been urged to take a privacy-by-design approach to their services, and not only ensure that data and privacy are protected at all times, but also that users are provided with privacy-friendly settings from the start.
Default settings, the letter says, need to ensure the best privacy protection, but users should have the option to adjust those to suit their requirements. Furthermore, business users should be provided with features to help them comply with their own privacy policies, and VTC services should minimize the capture of personal information or data.
“VTC providers should also undertake a privacy impact assessment to identify the impact of their personal information handling practices on the privacy of individuals, and implement strategies to manage, minimize or eliminate, these risks,” the letter reads.
VTC companies are also encouraged to identify the environments in which their services are used, so as to ensure they can deliver data security and privacy in all contexts, to be transparent about the data they collect and how they share it, and to ensure that users have the appropriate information and control when using their services.
“We recognize that VTC companies offer a valuable service allowing us all to stay connected regardless of where we are in the world; something that is especially important in the midst of the current Covid-19 pandemic. But ease of staying in touch must not come at the expense of people’s data protection and privacy rights,” the regulators note.
The letter was signed by commissioners with the Office of the Australian Information Commissioner, the Compliance Sector Office of the Privacy Commissioner of Canada, the Gibraltar Regulatory Authority, the Privacy Commissioner for Personal Data for Hong Kong, the Federal Data Protection and Information Commissioner for Switzerland, and the United Kingdom’s Regulatory Supervision Information Commissioner’s Office.