Six data protection and privacy regulators from around the world have requested organizations involved in video teleconferencing (VTC) to concentrate on security and privacy by design in an open letter this week.
The regulatory community, which is responsible for protecting the privacy of individuals worldwide, is concerned that the growing usage of video conferencing solutions as a result of the COVID-19 pandemic has increased the risks associated with VTC companies’ handling of personal information, and has also generated additional risks.
“Media reports, and directly to us as privacy enforcement authorities, in some cases indicate the awareness of those threats. This has given us cause for concern as to whether VTC companies’ protections and interventions are keeping pace with the rapidly increasing risk profile of the personal information they handle, “reads the letter.
In addition to expressing their concerns, the privacy watchdogs outlined their assumptions about how video conferencing providers are supposed to mitigate those risks, as well as the steps they can take to ensure that users ‘ personal information is secured.
The regulators also urge VTC companies to identify and fix certain issues related to data protection and privacy related to their services, and regularly review their privacy position and even collaborate with regulators to mitigate risks they cannot tackle.
“We have observed some troubling reports of security flaws in VTC products during the current pandemic which allegedly lead to unauthorized access to accounts, shared files and calls,” reads the letter.
VTC companies should ensure that their products have default security safeguards, such as successful end-to – end encryption and two-factor authentication, and that strong passwords are required. Those offering VTC services to sectors handling sensitive information would focus most on these security measures.
“There should also be special attention to ensuring that information is adequately secured when accessed by third parties, including in other countries,” the letter reads.
VTC companies were also encouraged to take a privacy-by-design approach to their services, not only ensuring that data and privacy are protected at all times but also providing consumers with privacy-friendly settings from the outset.
Default settings, the letter states, ought to provide the best security of privacy, but users should be given the option of changing those to fit their needs. In addition, business users should have apps to help them comply with their own privacy policy, and VTC services should reduce the collection of personal data or information.
“VTC providers should also conduct an impact assessment on the privacy of individuals to identify the impact of their personal information handling practices and implement strategies for controlling, reducing or removing these risks,” reads the letter.
VTC companies are also encouraged to identify the environments in which their services are used, to ensure that they are able to provide data security and privacy in all contexts, to be transparent about the data they collect and how they share it, and to ensure that users have adequate information and control when using their services.
“We understand that VTC companies provide a vital service that helps us all to stay linked regardless of where we are in the world; something that is especially important in the midst of the ongoing Covid-19 pandemic. Yet ease of stay in touch should not come at the expense of data protection and privacy rights for individuals, “the regulators say.
The letter was signed by the commissioners of the Australian Information Commissioner’s Office, the Compliance Sector Office of the Privacy Commissioner of Canada, the Gibraltar Regulatory Authority, the Hong Kong Privacy Commissioner for Personal Data, the Swiss Federal Data Security and Information Commissioner and the UK Regulatory Oversight Information Commissioner’s Office.
