Zoom-ing in on data protection

Business

Zoom-ing in on data protection

Legal Notes

With Joanna Marzouca

Wednesday, November 25, 2020

Print this page Email A Friend!


As a consequence of COVID-19, we have moved away from face-to-face interactions and now use videoconferencing for work, school, doctors' visits and even weddings. Today, Zoom and similar platforms have become a fixture in our daily lives. In this article we will 'zoom-in' on recent developments involving this popular platform and risks that may be associated with its use, including that of data privacy particularly in the light of the passage of the Data Protection Act herein Jamaica.

THE COMPLAINT

Recently, the US Federal Trade Commission (FTC)announced a settlement with Zoom, the videoconferencing platform, to settle allegations that the company engaged in a “series of deceptive and unfair practices that misled consumers about the security of their communications on the platform and that put certain users' security at risk”.

The complaint against Zoom alleged that Zoom:

1. misled users by offering 'end to end, 256-bit encryption to secure users' communication' when in fact it provided a lower level of security. End to end encryption is a method of securing communications to that only the sender and recipient(s) can read the content. The FTC alleged that this lower level of encryption, allowed Zoom to access the content of users' meetings. This was of particular concern to the FTC given the coronavirus pandemic and given the rapid acceleration in the utilisation rate of videoconferencing or virtual meetings in personal and professional life;

2. falsely claimed that recorded Zoom meetings were encrypted immediately after the meeting ended, but instead, some recordings allegedly were stored unencrypted for up to 60 days on Zoom's servers before being transferred to its secure cloud storage; and

3. compromised the security of some users when it “secretly installed “software called ZoomOpener, specifically on Mac desktops. ZoomOpener allowed Zoom to automatically launch and join a user meeting and bypass an Apple Safari browser (the default browser on Apple computers) as a safeguard to protect users from a common type of malware. The complaint alleges that Zoom did not implement offsetting measures to protect user's security and increased users' risk of remote video surveillance by strangers.

Zoom agreed to settle the charges brought by the FTC and has since the complaint, discontinued many of the practices challenged in the complaint. In May 2020, Zoom announced the acquisition of Keybase which they believe will help the company build a sufficient end-to-end encryption for the platform. Zoom has also issued a statement expressing their “commitment to innovating and enhancing their product as we [Zoom] deliver a secure video communications experience”.

WHAT DO COMPLAINTS SUCH AS THIS MEAN FOR DATA PROTECTION IN JAMAICA?

The recently passed Data Protection Act (the Act) in Jamaica requires data controllers to comply with the data protection standards outlined in the Act in relation to all personal data. A data controller is an individual or corporate body, alone or in conjunction with others, determines the purpose and manner in which any personal data are, or are to be, processed, and where personal data is processed only for purposes for which they are required to be processed.

Following the enactment of the Act, a data controller must ensure that appropriate technical and organisational measures be taken and maintained against the unlawful processing of personal data. Data controllers may outsource the processing of data to a third party, these are defined by the Act as a data processor.

Where the processing of personal data is carried out by a data processor, the data controller must choose a data processor that provides sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out and take reasonable steps to ensure compliance with those measures and protection of the entity and its assets, including its information. This means that a data controller does not relinquish the control of data to the data processor and remains in control of specifying how the data is to be used and processed. While the term “processing” is very broadly defined under the Act it includes obtaining, recording, or storing information or personal data, or carrying out any operation or set of operations (whether or not by automated means) on the information or data.

While we are still awaiting the date for the Act to be brought into force and it allows for a two-year transition period, business must now be considering these data security and data privacy measures and planning for the role and selection of data processors.

Data controllers and those with responsibility for risk and compliance generally, on the other hand, must be mindful of the data processors security measures and take sufficient steps to ensure that they provide sufficient security measures. The Act specifically requires that the technical and organisational measures should be appropriate to the data being processed and measures include encryption and the ability to monitor the confidentiality, integrity and available of processing systems. Therefore, data controllers who control sensitive personal data, for example, genetic data, would require a higher degree of security measures for themselves and data processors to comply with the Act.

Where a data controller utilises a data processor that does not provide sufficient security measures and/or the data controller does not take reasonable steps to ensure compliance with the appropriate security measures, it is at risk of committing a breach of the Act. Apart from any penalty specified in the Act breaches may result in fines of up to four per cent of the annual gross worldwide turnover of the body corporate in breach. Furthermore, the Act provides that directors and officers of a body corporate in breach of the Act may also be held liable where the offence committed was with the consent, connivance of or is attributable to the negligence of the director or officer or a person purporting to act as an officer or director.

The Act was drafted based on the General Data Protection Regulation Guidelines (GDPR) and the GDPR contains similarly worded provisions. Jamaican entities who offer goods or services to individuals in the European Union may fall within the scope of the GDPR and be required to comply with its provisions. The GDPR has extra territorial reach and has continuously fined companies outside of the EU who fall within its scope. Therefore, if a Jamaican entity falls within the GDPR, they should be mindful of all of the foregoing already as non-compliance may result in a breach of the GDPR.

With data protection still in its infant stages in Jamaica, there can be some uncertainty as to whether you fall within the Act. If you think you may fall within the scope of the Act or even the GDPR it is best to zoom in on data protection and be safe and not sorry and consult an attorney-at-law to confirm your position in relation to the Act.

The FTC's decision in the Zoom case is a concern for everyone, especially those with personal and sensitive data as they should assess their use of these platforms and any of the various security vulnerabilities. The conditions imposed by the FTC will be applicable on the company's operations worldwide, and we will have to wait and see how that practicality impacts Jamaican users.

Joanna Marzouca is an associate at Myers, Fletcher & Gordon, and is a member of the firm's Commercial Department. Joanna may be contacted via joanna.marzouca@mfg.com.jm or www.myersfletcher.com. This article is for general information purposes only and does not constitute legal advice.


Now you can read the Jamaica Observer ePaper anytime, anywhere. The Jamaica Observer ePaper is available to you at home or at work, and is the same edition as the printed copy available at http://bit.ly/epaper-login


ADVERTISEMENT




POST A COMMENT

HOUSE RULES

1. We welcome reader comments on the top stories of the day. Some comments may be republished on the website or in the newspaper � email addresses will not be published.

2. Please understand that comments are moderated and it is not always possible to publish all that have been submitted. We will, however, try to publish comments that are representative of all received.

3. We ask that comments are civil and free of libellous or hateful material. Also please stick to the topic under discussion.

4. Please do not write in block capitals since this makes your comment hard to read.

5. Please don't use the comments to advertise. However, our advertising department can be more than accommodating if emailed: advertising@jamaicaobserver.com.

6. If readers wish to report offensive comments, suggest a correction or share a story then please email: community@jamaicaobserver.com.

7. Lastly, read our Terms and Conditions and Privacy Policy



comments powered by Disqus
ADVERTISEMENT

Poll

ADVERTISEMENT
ADVERTISEMENT

Today's Cartoon

Click image to view full size editorial cartoon
ADVERTISEMENT