Companies, authorities and other organizations cannot easily use widely used video conferencing systems such as Microsoft Teams, Skype, Zoom, Google Meet, GoToMeeting and Cisco WebEx, even in times of the coronavirus pandemic. In an orientation guide published on Friday, the data protection officers of the federal and state governments recommend that relevant services of US providers be “carefully checked” prior to deployment.

Don’t miss any news! With our daily newsletter you will receive all the news from heise online from the past 24 hours every morning.

Adequate protection of personal information “The largest and best-known providers of video conferencing products are based in the USA and process the data there,” states the Data Protection Conference (DSK) in its handout. After the European Court of Justice (ECJ) recently declared the transatlantic Privacy Shield to be invalid, this instrument is no longer available to ensure adequate protection of personal information transmitted to the USA.

Who at Data export based on the alternative standard contractual clauses must “analyze the legal situation in the third country with regard to official access and legal protection options for data subjects” before the start of the transmission, the supervisory authorities explain .

According to the DSK, further analyzes are required to make “more concrete statements” about additional protective measures in the light of the ECJ case law The separate inspection obligation also applies if the contractual partner is a European subsidiary of a US company or he if European providers in turn transmitted personal data to the USA.

Green light for open source software Previously, the leading systems from overseas had already failed a short test by the Berlin data protection officer Maja Smoltczyk. The inspector gave the go-ahead for commercially available instances of the open source software Jitsi Meet, such as the service from Netways orafe-videokonferenz.de. She also rated the Tixeo Cloud, BigBlueButton instances from Werk and the Messenger Wire as positive.

It would be best to operate conference services with open source software yourself, the DSK is now working out. Those responsible would then also have to “have sufficient technical and personnel capacities for operation and maintenance and take suitable technical and organizational measures to protect the data”. This could be challenging for smaller institutions.

Service providers and “ready-made” online services If operation by an external service provider is also possible, the analysis shows that “the software used or offered to participants must be examined for data leaks to the manufacturer and third parties”. This includes diagnostic and telemetry data. Corresponding “calling home” must “be prevented unless there is a legal basis for this”.

It becomes no less complicated when institutional users fall back on a “ready-made” online service, say the inspectors to consider. “The person responsible must ensure compliance with the data protection principles by selecting a suitable provider” and give them appropriate instructions “and take their own precautions”. For this purpose, he has to check the relevant contracts, conditions of use and security evidence submitted by the processor and also its data protection declaration.

Informed and voluntary consent often doubtful According to the paper, anyone who wants to hold a video conference must first find out to what extent they are authorized to process a large number of personal data associated with it. In doing so, he had “to pay particular attention to the principle of data economy”. If the choice falls on the tool of an external provider, first “clarify the data protection relationship to this”.

As a legal basis for the use of a video conferencing service comes under the General Data Protection Regulation (GDPR) in addition to “Legitimate interest” includes an informed and voluntary consent in question. Especially in a professional or school context, however, voluntariness is “often doubtful”, the DSK states. This applies above all when indispensable information “is only communicated in the context of a video conference”.

Problem home office transmission of picture or sound As far as employees participate from their home office, according to the document, the problem arises that other participants without the consent of the employees “cannot look into whose privacy may be preserved through image or sound “. The employer must therefore provide neutral backgrounds. An “unfavorable camera alignment, taking the devices into unsuitable rooms or rooms occupied by third parties, the unprepared visual and / or acoustic appearance of third parties in the video conference and similar ‘breakdowns’ are to be avoided”.

On 25 pages, the data protection officers list many other points such as adequate IT security that must be observed. At the time of work on the paper, for example, end-to-end encrypting solutions that meet these requirements and enable video conferences for a larger number of participants “even if they only have a low or varying bandwidth at the endpoints they use Computing power is available, not yet marketable “. Transport encryption can therefore currently be sufficient to meet the legal requirements, provided that an appropriate level of protection is guaranteed through compensatory measures.

“Only authorized persons should be able to access a video conference session and its data,” write the Author. If there was a threat of high risks for the rights and freedoms of the participants, “at least two-factor authentication according to the state of the art” must take place.

(bme)