Our Ontario Lawyers

When success matters, there is no substitute for the advantage that comes from experience.

Search for a lawyer below:

Office:

Search Results

We're sorry, We cannot locate any lawyers with that criteria. Please search again.

Sort By:

Experience and Expertise:

How Can We Help? We’ll be happy to match you to the right qualified Lerners Lawyer.
Insights

Online Video Conferencing – Don’t Forget About Privacy!

6 minute read
Back to Insights
March 25th, 2020

As businesses adjust to working remotely, and people adjust to social distancing, many have turned to online video conferencing programs for virtual meetings with clients or patients, and for catching up with friends and family. Businesses and health information custodians continue to be required to comply with their privacy obligations in the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and the Personal Health Information Protection Act (“PHIPA”). It is important to understand the privacy implications of using these online video conferencing services.

I’m going to focus on Zoom, as this appears to be one of the most popular free services (and the one that I have started using to share a glass of wine with my friends and family). However, the concerns discussed below apply equally to, but the specifics may differ with, other service providers.

Zoom’s privacy policy was last updated on March 18, 2020 – since the coronavirus pandemic was declared. It has a Whitepaper specific to its compliance with PIPEDA and PHIPA, which at least indicates Zoom has considered users’ obligations pursuant to some of Ontario’s privacy legislation.

Zoom collects a considerable amount of Personal Data, which it defines as “any data that can be used to identify or is reasonably linkable to a specific person.” Of concern, is that Zoom collects Personal Data regardless of whether or not a user has an account. It “may” collect Personal Data within the following categories:

  • Information commonly used to identify you, such as your name, user name, physical address, email address, phone numbers, and other similar identifiers
  • Information about your job, such as your title and employer
  • Credit/debit card or other payment information
  • Facebook profile information (when you use Facebook to log-in to its Products or to create an account for its Products)
  • General information about your product and service preferences
  • Information about your device, network, and internet connection, such as your IP address(es), MAC address, other device ID such as Unique Device Identifier (UDID), device type, operating system type and version, and client version
  • Information about your usage of or other interaction with its Products
  • Other information you upload, provide, or create while using the service

Zoom indicates that this Personal Data is collected to provide users with the “best experience with [its] Products.”

Where a user’s Personal Data is collected from appears to be limitless. It is gathered “directly from [the user], directly from your devices, or directly from someone who communicates with you using Zoom services, such as a meeting host, participant, or caller.” Some of this data is collected automatically upon use of its products and services. Personal Data is also gathered from third-party partners, which help to deliver Zoom’s services; agreements are in place so those third-parties do not use any information collected by Zoom for their own commercial purposes. Somewhat ambiguously, the privacy policy also states that Zoom “may also receive Personal Data that third parties collect in other contexts, which we use in order to better understand our users, advertise and market, and enhance our services.”

One question most people want answered, is whether Zoom sells their Personal Data. Technically no. However, the answer really depends on how “sell” is defined. Zoom does not accept payment for access to Personal Data it has collected. In Zoom’s “humble opinion, we don’t think most of our users would see us as selling their information, as that practice is commonly understood.” It does use certain advertising tools that require Personal Data to improve users’ advertising experience, which under certain laws, can be interpreted to be “sale” of data. The privacy policy states that “if you opt out of “sale” of your info, your Personal Data that may have been used for these activities will no longer be shared with third parties.” After about 15 minutes exploring the tabs in my Account page, then doing a keyword search in the website Knowledge Base for “opt out of sales” and scrolling through 10 pages of results, and checking the FAQ page, I still haven’t figured out how to activate the opt out of sales feature.

The provision of Personal Data for advertising tools would appear to contradict Zoom’s statement in its PIPEDA and PHIPA Whitepaper that there is “no sharing of customer data with third parties”.

A free or paid Zoom subscriber can record meetings to their local device, and paid subscribers can record meetings to the Zoom Cloud. Zoom downloads obtaining all necessary consents on to the meeting host. If you are recording the meeting locally, you are responsible for the security and protection of that data, and you will want to ensure that the Zoom Cloud security meets the requirements of your organization’s privacy policy, if you use its cloud recording service.

Another area of privacy concern is where user Personal Data is going to be stored. According to the privacy policy, Zoom may transfer Personal Data to the United States, to any Zoom affiliate worldwide, or to third parties acting on its behalf for the purposes of processing or storage. Where required by law, it will store information locally. Canada and Ontario do not restrict where personal information can be stored. If you are using Zoom, you want to make sure that your client or patient is aware that their Personal Data may be stored outside of Canada, which opens it up to permissible disclosure to foreign entities (e.g. in response to court orders, search warrants, etc.).

Today’s new business reality requires organizations and health information custodians to utilize online video conferencing services in order to continue to operate. However, they cannot ignore their privacy obligations in order to deliver their services. Below are tips on how to utilize online video conferencing tools while protecting client and patient personal information:

  • Review the online video conferencing service provider’s privacy policy to understand what data is being collected, and from what sources.
  • Review your own company’s privacy policy to ensure it permits the use of online video conferencing – revisions to the policy may be required in order to utilize these services.
  • Do not use Facebook to login to the service. Recommend that clients and patients use an email address to access the service in order to limit the amount of Personal Data collected.
  • Obtain consent from your client or patient to utilize online video conferencing to communicate with them, specifically advising them of the collection and possible use of their data by the service provider. Confirm this consent in an email.
  • Before recording a meeting, even locally, obtain the participants’ consent to do so.
  • Do not record meetings to the provider’s cloud unless it complies with your company’s internal privacy policy.
  • Inform your clients and patients that their Personal Data may be stored outside of Canada.

The Lerners privacy law team is able to assist you in understanding the privacy implications of using online video conferencing services.

LERNx Sidebar

Insights

Our lawyers are committed to making the law easier to access for all by publishing high-quality and industry-leading content.

Related

Alysia M. Christiaen

Alysia M. Christiaen

Partner

We are here to help.

Do you have any questions about your unique scenario? Feel free to reach out directly by visiting my Lerners Profile View My Full Profile