NORDUnet Zoom: GDPR and Privacy Facts

NORDUnet Zoom: GDPR and Privacy Facts

The use of video conferencing and teaching via Zoom has accelerated in recent weeks. Many people are concerned about GDPR and privacy issues when using the video service, and NORDUnet receives numerous inquiries on this subject. To address this matter, we have listed privacy related facts pertaining the Zoom service, including an outline of what NORDUnet has done to be in compliance with GDPR and European privacy directives.

The following facts apply to Zoom provided by NORDUnet: 

• Service Delivery: Colleges and universities in the Nordic countries that use Zoom have this service operated by NORDUnet. The service is provided by the national NREN in each country. 

• GDPR compliance: Zoom operated by NORDUnet is fully GDPR compliant and in accordance with other European privacy directives. This is secured through the individual contracts entered into and the chain of Data Processing and sub-processing agreements. University->NREN->NORDUnet->Zoom->sub providers (i.e. Amazon, ref. below) 

• User account data: Data from users of NORDUnet's Zoom service is not stored with Zoom in the United States. The account data is stored in Zoom datacentres in Europe.
We use dedicated (virtual) servers installed in Copenhagen, Denmark and Stockholm, Sweden, for all meetings and meeting data. 

• Logging in: All organizations that use Zoom provided by NORDUnet decide for themselves which login solution their users should use. Most use the National identity federation login (SWAMID, FEIDE, HAKA and WAYF), or directly the local institution Single Sign-On solution (SSO).

• Personal information: Personal information about users of NORDUnet's Zoom service is processed within the EU in accordance with the applicable data processing agreement. This applies to personal information necessary for using the service, such as first name, last name, email address, role, etc. Typically, as released by the home institution, using the national identity federation, through SAML attributes. No credit card details, telephone numbers or other similar information is stored in the Zoom instance provided by NORDUnet. (See section above for storing of personal data) 

• Zoom public service: Zoom centrally in the US provides a so-called "public" or public service. Zoom from NORDUnet is not part of this public service. NORDUnet provides a private Zoom service, regulated by a separate framework agreement.  

• Zoom local administrators: All organizations that use Zoom provided by NORDUnet have one or more local institution administrators. As with other ICT services, local Zoom administrators have a higher degree of access and use of control tools than ordinary users. Such access is necessary to keep good quality of service and to help out single users if they need assistance. 

• Cloud recording: Zoom operated by NORDUnet does not contractually provide for the option to have meetings recorded with Zoom in the United States, the so-called cloud recording. Local Zoom administrators have been instructed to disabled this option for all of their users. 

• Local recording: NORDUnet's Zoom service allows for local recording. If a meeting is recorded, participants in the meeting are automatically notified with a symbol in the video window and in the attendee list. The local institution administrator can set up Zoom so that all attendees must approve any recordings. The local administrator can also control whether other participants can record the meeting. 

• Safe meetings: Zoom offers a number of mechanisms for creating safe meetings. For example, waiting rooms, and the possibility for the meeting hosts to password protect the meeting. Meeting hosts can also “lock” meetings, then no one but the invited participants can participate, this also applies to administrators. No one can use meeting rooms created by other users without permission. 

• Encryption: All video and audio traffic and data are by default encrypted, too and from the meeting servers. 

• Attention tracking: Zoom includes a feature called "attention tracking". This feature provides the meeting host with an indicator of whether participants have the Zoom window active during screen sharing. The host does not receive any other information from the participants' devices. The function can be disabled by the local administrator. (April 2'nd 2020, The feature is currently not available, as Zoom has disabled the features for all accounts due to privacy concerns)

• Zoom Amazon private extension: During the COVID-19 crisis we see an unprecedented high use of the Zoom service. This has made NORDUnet look for a temporary quick solution to allow for a very large number of concurrent users. We have through Zoom purchased a temporary installation in Stockholm/Amazon until the increased use goes back to more normal levels. Likewise, we have expanded the capacity in the on-premise installation to cope with the new “normal”. The Zoom Amazon extension is under contract from NORDUnet and follows all obligations that already contractually exist between any NREN, NORDUnet and Zoom.  

• Data overview