3 minute read
Privacy Issues for Communications Service Providers
Back Page Front Burner
Privacy Issues for Communications Service Providers
By Siobhan Lewis and David Naylor
The implementation of social distancing measures around the world in the first quarter of 2020 resulted in a rapid increase in demand for communications platforms, which have been used for everything from government cabinet meetings to wedding and funeral ceremonies. Despite the surge in demand and widespread use of these platforms, many of them have failed to pass muster when it comes to privacy compliance. Zoom Video Communications, Inc., was hit with a class action suit by one of its shareholders, accusing the videoconferencing app of overstating its privacy standards and failing to disclose that its service was not endto-end encrypted.
Protecting personal data is a key obligation under data protection legislation, and breaches often attract significant penalties. From a reputation management perspective, security issues also notoriously make headlines. Reports of security breaches, even where no real evidence of the breach has materialized, can quickly result in users cancelling their accounts due to a loss of trust. To implement tight security, platform providers should be conducting data protection impact assessments to consider risk; implementing technical measures appropriate to the risk; continuously monitoring their security framework; and considering the requirement for passwords and the type of encryption necessary, especially for platforms intended for corporate use.
As a legal requirement under General Data Protection Regulation (GDPR), privacy should be deeply ingrained at each stage of platform development, taking design and presentation into account. The UK government exemplified the risks here when its Zoom conference ID was accidentally shared online in a cabinet meeting screenshot. Educating users and drafting terms of service that prohibit the unauthorized sharing of screenshots and recording of video calls are other preventative measures. To further ensure privacy by design, platform providers should limit data collection, set geolocation tracking to “off” by default, and carefully consider the appropriateness of features that allow users to track other users’ use of platforms.
As controllers of personal data, transparency is key for communications service providers. Users must be told what information is held about them, who the personal data is shared with, and why it is shared, in a clearly drafted privacy policy. If a provider shares users’ data to enable targeted advertising, for example, it must be done legitimately, which includes telling the user. In Europe, at least, it will generally require their consent.
Platforms are also likely to receive information requests from data subjects. Platforms can limit their exposure by being aware of the subject’s rights in relation to such requests; the relevant time periods in which to respond; and by developing and implementing efficient data collection, segregation, retention, and deletion policies. Information requests from law enforcement authorities are also steadily growing. Given that different legal frameworks apply in this context, platforms should ensure they understand what they can and cannot disclose.
Ultimately, there is a balance to be struck between security and accessibility, as the easier a platform is to use, the less secure it tends to be. Providers of communications platforms should think about this when determining their target audience and the evolution of the platform. Nonetheless, protecting users’ data and ensuring their privacy are non-negotiable obligations and will underpin a platform’s success.
Siobhan Lewis is an Associate at Wiggin LLP. She advises clients in the media and technology sector on commercial, regulatory and data protection matters. siobhan.lewis@ wiggin.co.uk
David Naylor is a partner in Wiggin LLP’s technology transactions group and head of the data protection practice. He works with technology, media and IP-focused businesses, and has significant experience working with U.S. and European companies on international business expansion and cross-border, multi-jurisdictional transactions and projects. david.naylor@ wiggin.co.uk
