As a consequence of COVID-19, we have moved away from face-to-face interactions and now use video conferencing for work, school, doctors’ visits and even weddings. Today, Zoom and similar platforms, have become a fixture in our daily lives. In this article we will ‘zoom-in’ in on recent developments involving this popular platform and risks that may be associated with its use, including that of data privacy particularly in the light of the passage of the Data Protection Act herein Jamaica.
Recently, the U.S Federal Trade Commission (“FTC”) announced a settlement with Zoom, the video conferencing platform, to settle allegations that the company engaged in a “series of deceptive and unfair practices that misled consumers about the security of their communications on the platform and that put certain users’ security at risk”.
The complaint against Zoom alleged that Zoom:
- misled users by offering ‘end to end, 256-bit encryption to secure users’ communication’ when in fact it provided a lower level of security. End to end encryption is a method of securing communications to that only the sender and recipient(s) can read the content. The FTC alleged that this lower level of encryption, allowed Zoom to access the content of users’ meetings. This was of particular concern to the FTC given the COVID-19 pandemic and given the rapid acceleration in the utilization rate of video conferencing or virtual meetings in personal and professional life;
- falsely claimed that recorded Zoom meetings were encrypted immediately after the meeting ended, but instead, some recordings allegedly were stored unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage; and
- compromised the security of some users when it “secretly installed “software called ZoomOpener, specifically on Mac desktops. ZoomOpener allowed Zoom to automatically launch and join a user meeting and bypass an Apple Safari browser (the default browser on Apple computers) as a safeguard to protect users from a common type of malware. The complaint alleges that Zoom did not implement offsetting measures to protect user’s security and increased users’ risk of remote video surveillance by strangers.
Zoom agreed to settle the charges brought by the FTC and has since the complaint, discontinued many of the practices challenged in the complaint. In May 2020, Zoom announced the acquisition of Keybase which they believe will help the company build a sufficient end-to-end encryption for the platform. Zoom has also issued a statement expressing their “commitment to innovating and enhancing their product as we [Zoom] deliver a secure video communications experience”.
What Do Complaints Such As This Mean For Data Protection In Jamaica?
The recently passed Data Protection Act (“the Act”) in Jamaica requires data controllers to comply with the data protection standards outlined in the Act in relation to all personal data. A Data Controller is an individual or corporate body, alone or in conjunction with others, determines the purpose and manner in which any personal data are, or are to be, processed, and where personal data is processed only for purposes for which they are required to be processed.
Following the enactment of the Act, a data controller must ensure that appropriate technical and organizational measures be taken and maintained against the unlawful processing of personal data. Data controllers may outsource the processing of data to a third party, these are defined by the Act as a data processor.
Where the processing of personal data is carried out by a data processor, the data controller must choose a data processor that provides sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out and take reasonable steps to ensure compliance with those measures and protection of the entity and its assets, including its information. This means that a data controller does not relinquish the control of data to the data processor and remains in control of specifying how the data is to be used and processed. While the term “processing” is very broadly defined under the Act it includes obtaining, recording, or storing information or personal data, or carrying out any operation or set of operations (whether or not by automated means) on the information or data.
While we are still awaiting the date for the Act to be brought into force and it allows for a two-year transition period business must now be considering these data security and data privacy measures and planning for the role and selection of data processors.
Data controllers and those with responsibility for risk and compliance generally, on the other hand, must be mindful of the data processors security measures and take sufficient steps to ensure that they provide sufficient security measures. The Act specifically requires that the technical and organizational measures should be appropriate to the data being processed and measures include encryption and the ability to monitor the confidentiality, integrity and available of processing systems. Therefore, data controllers who control sensitive personal data eg. genetic data, would require a higher degree of security measures, for themselves and data processors, to comply with the Act.
Where a data controller utilizes a data processor that does not provide sufficient security measures and/or the data controller does not take reasonable steps to ensure compliance with the appropriate security measures, it is at risk of committing a breach of the Act. Apart from any penalty specified in the Act breaches may result in fines of up to four percent of the annual gross worldwide turnover of the body corporate in breach. Furthermore, the Act provides that directors and officers of a body corporate in breach of the Act may also be held liable where the offence committed was with the consent, connivance of or is attributable to the negligence of the director or officer or a person purporting to act as an officer or director.
The Act was drafted based on the General Data Protection Regulation Guidelines (GDPR) and the GDPR contains similarly worded provisions. Jamaican entities who offer goods or services to individuals in the European Union may fall within the scope of the GDPR and be required to comply with its provisions. The GDPR has extra territorial reach and has continuously fined companies outside of the EU who fall within its scope. Therefore, if a Jamaican entity falls within the GDPR, they should be mindful of all of the foregoing already as non-compliance may result in a breach of the GDPR.
With data protection still in its infant stages in Jamaica, there can be some uncertainty as to whether you fall within the Act. If you think you may fall within the scope of the Act or even the GDPR it is best to zoom in on data protection and be safe and not sorry and consult an attorney at law to confirm your position in relation to the Act.
The FTC’s decision in the Zoom case is a concern for everyone, especially those with personal and sensitive data as they should assess their use of these platforms and any of the various security vulnerabilities. The conditions imposed by the FTC will be applicable on the company’s operations worldwide, and we will have to wait and see how that practicality impacts Jamaican users.