GRA joins other regulators in dialogue with tech giants on teleconferencing privacy safeguards

The Gibraltar Regulatory Authority is among six data protection and privacy authorities from around the world that are engaging with video teleconferencing [VTC] companies on privacy safeguards.

In July last year, the GRA and its counterparts in Australia, Canada, Hong Kong SAR, China, Switzerland and the United Kingdom jointly signed an open letter to the companies highlighting concerns about whether privacy safeguards were keeping pace with the rapid increase in use of VTC services during the global pandemic.

The letter provided VTC companies with some guiding principles to address key privacy risks.

The joint signatories invited five of the biggest VTC companies to reply to the letter.

Microsoft, Google, Cisco and Zoom responded, setting out how they take the principles into account in the design and development of their VTC services. Houseparty did not respond but has engaged with the UK Information Commissioner’s Office directly.

Following a review of the responses, the joint signatories further engaged with these companies to better understand the steps they take to implement, monitor, and validate the privacy and security measures put in place.

“Most people have found VTC services very useful during the current global health crisis,” the regulators said.

“For many, they have been a vital lifeline.”

“Our dependence on, and general use of, VTC services is likely to continue through the pandemic and after we emerge from it.”

“High standards, robust measures, and best practices for privacy and security in the VTC industry are important for the safe deployment of these services and the ongoing trust of business and personal users.”

The work has allowed the joint signatories to engage, in a coordinated manner and with a uniform voice, with some of the largest and fastest growing technology companies, whose services are used worldwide.

It has also given those companies the opportunity to explain their approach to data protection and privacy through direct and practical interaction with a subset of the global privacy regulatory community representing citizens from jurisdictions across four continents.

The dialogue between VTC companies and data protection authorities has proven effective, efficient and mutually beneficial.

It touched on areas ranging from security and risk management to user management, transparency and the need for guidance for people using the platforms.

The regulators made a number of recommendations relating to encryption, secondary use of data, and the storage of data.

“Moving forward, the joint signatories highlight this model of engagement as valuable and replicable in circumstances where emerging issues would benefit from open dialogue to help set out regulatory expectations, clarify understanding, identify good practice, and foster public trust in innovative technologies, the regulators added.