EU officials are being told to avoid the Zoom conferencing platform over privacy and security concerns — but some still use it anyway.
Use of Zoom has skyrocketed as people have turned to technology to stay in touch during the coronavirus lockdown. But the San Jose, California-based company now faces a growing backlash, after a wave of damaging reports of data leaks, undisclosed data-sharing and unwanted service interruptions.
U.S. senators have been warned in an internal memo that Zoom poses a high risk to privacy and security, while companies like Google and SpaceX have banned their staff from using the technology.
Now Brussels is following suit, at least on paper.
“Zoom is not an approved corporate IT solution for use by Commission’s services,” a spokesperson for the EU’s executive body said. Internal guidelines tell staff to avoid using the platform for work.
Instead, Commission staff have been advised to use Skype for Business for internal meetings and WebEx for external ones.
At the European Parliament it is a similar story. A spokesperson said that Zoom was an example of “external softwares not certified as complying with data protection” in internal guidelines. Committee sessions under lockdown have mostly taken place on Interactio, a platform geared toward multilingual meetings.
But in practice many European officials continue to use Zoom despite privacy concerns because “other tools just work less well,” according to MEP Sophie in ‘t Veld.
She said that a meeting scheduled to take place using the Parliament’s system Tuesday morning ended up taking place on Zoom. “I am currently waiting for a session with the official EP system to start. Official start of the meeting: 10h….waiting since half an hour….🙄,” she said in an email.
In ‘t Veld has been at the forefront of calls for clearer guidance on using digital services and products. “I don’t think it is fair to put the burden of verifying and enforcing compliance with European data protection rules on the shoulders of the users … There is no competition between safe cars and unsafe cars. The authorities will make sure they all meet the standards. The same should apply to digital products and services,” she said.
In a recent interview with POLITICO, the Parliament’s vice president responsible for information technologies, Marcel Kolaja, highlighted similar concerns.
“If it’s a platform established in the country where the company has the obligation to provide data to the government or intelligence agencies — and where it can also be given a gag order so that they cannot even tell anyone that this is happening — this is a risk. Everyone who shares anything via that platform needs to understand this,” he said.
A Zoom spokesperson said the company takes user security extremely seriously and is compliant with GDPR, Europe’s data protection law.
“A large number of global institutions, ranging from the world’s largest financial services companies, to leading telecommunications providers, government agencies, universities, healthcare and telemedicine practices, have done exhaustive security reviews of our user, network and datacenter layers and confidently selected Zoom for complete deployment. Zoom is in communication with governments around the world and is focused on providing the information they need to make informed decisions about their policies.”
While EU institutions seem to be coalescing around a consensus on Zoom, overarching guidance is lacking.
“Every EU institution is independently choosing its system and needs to ensure that IT security and data protection are guaranteed. Of course this topic is of interest to the EDPS, but as far as I know no official guidance is foreseen from our side for the moment,” said a spokesperson for the European Data Protection Supervisor, the body that oversees EU institutions’ data handling.
The EDPS uses WebEx and Jabber for internal meetings, the spokesperson added. Europe’s grouping of privacy regulators, the European Data Protection Board, does plan guidance looking into teleworking tools and practices in the context of the coronavirus outbreak, but has postponed it to focus its efforts on geolocation and other tracing tools, and processing of health data for research purposes.
Similarly lacking is a common line on remote working tools across the bloc’s national governments — a state of affairs that comes to the fore for the Council in particular.
“The General Secretariat of the Council does not operate or manage a single videoconferencing system across all member states. Each national government department connects into the Council’s hub using their own videoconferencing systems,” a spokesperson for the Council said.
UPDATED: This article has been updated with additional comment from Zoom on its compliance with the GDPR.
Want more analysis from POLITICO? POLITICO Pro is our premium intelligence service for professionals. From financial services to trade, technology, cybersecurity and more, Pro delivers real time intelligence, deep insight and breaking scoops you need to keep one step ahead. Email email@example.com to request a complimentary trial.
Click Here: Rugby league Jerseys