Zoom's new privacy tools offer European data sovereignty-lite
Careful now, read the small print: Account, diagnostic data will stay in the US and Zoom can't promise calls and recordings won't pass through data centres you opted out of...
A modest overhaul of Zoom’s privacy tools and support lets paying European customers choose to have “certain data” stored in the EU.
But account and diagnostic data will still be stored in the US and even if European customers have explicitly opted out of having call data being processed in US data centres, it may still pass through them, Zoom said.
The Zoom European data storage option is now available for paying users and is one of a suite of new “privacy enhancements” from the company – including a tool for data subject access requests and audit log tracking.
A press release this week was carefully worded: “Paid customers in the EEA can select certain data for Meetings, Webinars, and Team Chat to be stored in the EEA going forward. This data will only be shared with US teams in individual cases and exceptional circumstances,” Zoom said.
Where in the EEA and what “certain data”?
Zoom told The Stack that the data storage location for European customers wanting to click this particular button is Zoom data centres in “Frankfurt, Germany” which are running “clusters” hosted by AWS.
(Why Zoom chose to refer to the EEA and not the EU is unclear. We can confirm that data is not being stored in Iceland, Liechtenstein, or Norway.)
Zoom admins can opt to have cloud recordings and recording transcripts among other datasets stored in particular locations (e.g. Germany) and also to specifically opt out of them being processed in other data centres.
Irrespective of customer storage location choice this “does not include Account Data and Diagnostic Data, which will still be stored in the US.”
Data selected for “EEA” storage “may [also] pass through network links or networking equipment in opted-out data centers while it transits [to] opted-in Zoom data centers being used for the processing of participants’ real-time meeting and webinar video…” Zoom’s privacy policy shows.
Zoom Europe data tools had help from SURF
The new Zoom privacy tools for European customers come weeks after a landmark €1.2 billion fine was levied by Ireland’s Data Commissioner against Facebook, Instagram and WhatsApp owner Meta for failing to comply with GDPR data protection requirements; a failure that the ruling suggests may equally apply to other SaaS providers sending data to the US.
(The fine was described succinctly by data consultancy Castlebridge’s Daragh O Brien as representing “the long-heralded suspension of transfers to the US under SCCs” – temporary EU to US data transfer rules that had replaced the transatlantic ‘Privacy Shield’, agreement; itself shot down by European Court of Justice on 16 July 2020 in a Schrems II ruling.)
Zoom's move also comes as a “data sovereignty” movement in Europe gains steady momentum. Germany's BWI, the IT services provider of the German Armed Forces, for example in December 2022 launched the beta version of its end-to-end encrypted (E2EE) BundesMessenger, a secure decentralised messenger for Germany’s federal, state and local authorities that can be hosted wherever a user chooses and which is built on the open source Matrix Protocol.
Microsoft meanwhile has promised to build an EU “data boundary” that keeps both customer and telemetry data within Europe for Azure, Microsoft 365, Dynamics 365 and Power BI. Julie Brill, Microsoft’s Chief Privacy Officer, told the agency: “The first phase will be customer data… we will [then] be moving logging data, service data and other kind of data into the boundary” (by end-2023 and end-2024 respectively.)
Zoom says the new privacy features were developed in part with Dutch IT education cooperative SURF, which it began working with in 2021 as part of a Data Protection Impact Assessment (DPIA) and cited SURF CEO Jet de Ranitz as being “very happy” with the Zoom European privacy changes.