Following an intensive, collaborative consultation with SURF, the ICT service provider for Dutch education and research, Zoom has made and will continue to make changes to its privacy agreements for Education and Enterprise customers in European Economic Area (EEA). In addition to these changes and new contractual agreements, SURF advises organisations to implement several recommended measures themselves, and to conclude new data processing agreements with Zoom. As soon as these have been implemented, SURF advises that data subjects can use Zoom for highly confidential communications and will not face what SURF considers high privacy risks.
The adjustments were the result of discussions between SURF and Zoom after an initial Data Protection Impact Assessment (DPIA) was carried out in May 2021. This was commissioned by the Dutch government (SLM Rijk) and SURF. A DPIA is an instrument that identifies privacy risks for data subjects and is considered necessary if there are likely high privacy risk for data subjects, including where there is large-scale processing of personal data or processing of sensitive personal data.
“Privacy is very important for education. Zoom has been able to provide good solutions in harmonious cooperation with us and that is worth a lot,” explained Jet de Ranitz, CEO of SURF. “I am incredibly proud of the team that worked hard to get these results. It may inspire other parties to work together in a similar way.”
In collaboration with SURF, Zoom addressed the privacy risks identified in the first DPIA in May 2021 by making changes to its software, entering into a processor agreement and committing to future changes. The new DPIA just published describes these contractual and technical adjustments. For example, end-to-end encryption in both one-to-one and group meetings has been possible since November 2020, and Zoom has committed itself to offer enterprise and education accounts the option to have almost all of their personal data processed in the European Economic Area (EEA) by the end of 2022. Zoom and SURF have made arrangements on this which have been included in an agreement. For personal data transferred outside the EEA, a Data Transfer Impact Assessment (DTIA) has been concluded, showing adequate safeguards for the data transfers.
Zoom and SURF will continue to work closely together in the coming months to monitor progress on the agreed mitigating measures, including, as an example, the development of a separate EU support desk during office hours local in EEA, the development of the various self-service tools for data access requests, and the implementation of privacy by design and default principles.
“Over the past two years, Zoom has been on a journey of growth and innovation. As we expanded our business to meet the growing needs of our global customer base, we evolved the way we approach data protection and data security,” said Eric S. Yuan, Zoom founder and CEO. “We are pleased the DPIA recognizes the enhancements we have made to our platform and are grateful for the role that SURF has played in supporting Zoom’s journey to achieving state-of-the-art data protection for businesses, governments, and users in Europe and around the world.”
SURF follows the developments regarding the use of cloud services, including case law and rulings by regulators closely. The European Data Protection Board (EDPB) is conducting research into the use of cloud services by the public sector. The results are expected at the end of 2022. SURF will endeavour to ensure that suppliers’ products and services are technically and contractually compliant and that risks are minimised. If necessary, SURF will include the results of future statements in adjustments to the DPIA. Zoom has committed to follow up on any additional recommendations in collaboration with SURF and the Dutch government.
Role of SURF
Thanks to its autonomous position within research and education, SURF plays an important role in discussions with ICT and content providers. SURF invests in the privacy of its members by means of DPIAs and good collaboration with suppliers. On behalf of the members, agreements are made regarding selecting, supplying, and purchasing products and services. In this way, SURF ensures economies of scale and provides a single point of contact for suppliers. It is important that the suppliers’ products and services comply technically and contractually with legislation and regulations and with the members’ needs, including privacy. DPIAs are part of this work. In this role, SURF works wherever possible with the government and collaborative organisations.
Zoom is for you. Zoom is a space where you can connect to others, share ideas, make plans, and build toward a future limited only by your imagination. Our frictionless communications platform is the only one that started with video as its foundation, and we have set the standard for innovation ever since. That is why we are an intuitive, scalable, and secure choice for large enterprises, small businesses, and individuals alike. Founded in 2011, Zoom is publicly traded (NASDAQ:ZM) and headquartered in San Jose, California. Visit zoom.com and follow @zoom.
SURF ensures that students, lecturers and researchers in education and research have access to the best possible ICT resources on favourable terms for the purpose of top-level research and talent development in national and international collaboration. SURF therefore develops, innovates and operates an advanced, federated e-infrastructure in conjunction with the institutions. SURF also organises demand aggregation, collaboration and knowledge sharing in relation to ICT themes for the member institutions.