Zoom and the European Union’s General Data Protection Regulation (GDPR)
Updated: October 12, 2021
Zoom’s mission is to deliver happiness through frictionless video communications, and we understand that such happiness requires privacy and security. That’s why we strive to protect and secure our customers’ communications to the highest levels, such as the data privacy obligations in the European Economic Area (“EEA”) – primarily the General Data Protection Regulation (the “GDPR”).
Zoom applauds the GDPR as an opportunity to build a stronger data protection foundation for the benefit of all. Zoom acknowledges that our customers (data controllers) need to ensure that Zoom (the data processor) implements technical and organizational measures in a manner that aligns with the GDPR’s compliance obligations. Zoom is here to help and support our customers in their role as data controllers.
The following key facts reflect Zoom’s commitment to data protection practices.
Contractual GDPR commitments for all Zoom customers
The GDPR requires that data controllers (such as organizations and developers using Zoom’s services) only use data processors (such as Zoom) that process personal data on the data controller’s behalf and provide adequate guarantees to meet specific requirements of the GDPR. Zoom provides these commitments to all our customers by incorporating Zoom’s Data Processing Addendum into the Zoom Terms of Service.
Zoom’s contractual commitments relevant to the GDPR:
- Zoom strives to be transparent and commits to using personal data only as stated in our agreement about delivering our services or as otherwise instructed by our customers.
- Zoom maintains appropriate technical and organizational security measures to protect the personal data we process.
- Zoom assists customers in fulfilling their obligations when data subjects exercise the rights attached to the personal data processed using our services (such as requests for information, access, rectification, and deletion).
International data transfer support
In July 2020, the Court of Justice of the European Union (the “CJEU”) ruled on case C-311/18 (commonly referred to as the “Schrems II decision”) concerning the validity of data transfers outside the EEA. The Schrems II decision stemmed from a complaint made by an Austrian data subject, Maximillian Schrems, concerning transfers of his personal data to the United States and the potential for U.S. governmental agencies to access his data.
In the Schrems II decision, the CJEU held that the EU-U.S. Privacy Shield framework no longer provided a lawful means to transfer personal data from the EEA to the United States.
But importantly, the CJEU also held that the European Commission’s Standard Contractual Clauses (or “SCCs”) — which form the basis of Zoom’s international transfers — remain a lawful mechanism for transferring personal data from the EEA to non-EEA countries.
Following this decision, the European Commission published new SCCs in June 2021. Zoom has incorporated the new SCCs into applicable agreements following the transition periods specified by the European Commission (i.e., by 27 September 2021 for new contracts and by 27 December 2022 for existing contracts). Please see our Customer FAQs on the new SCCs for further information.
New requirement: “Know-Your-Transfer”
The Schrems II decision also introduced a new requirement. Before transferring personal data to a country outside the EEA not considered as ensuring an adequate level of protection, data exporters must assess whether the SCCs adequately ensure that the personal data remains protected in the recipient country to a degree “essentially equivalent” with EU data protection rules.
In other words, before relying on the SCCs, the data exporter and data importer are now expected to assess whether the laws and practices in the country receiving the data may undermine the level of protection otherwise provided. To support our customers with this assessment, we’ve prepared a Data Transfer Impact Assessment (“DTIA”). If you are a current customer, please ask your Zoom representative for a copy. Otherwise please email firstname.lastname@example.org and include “Request for DTIA” in the subject line to receive a copy.
For further information about the steps Zoom takes and the additional safeguards in place when personal data is transferred from the EEA or the U.K. to Zoom in the U.S., please see our “FAQs: International Transfer of Data.”
Strong specific measures to ensure European data protection
Zoom is committed to maintaining a high level of security:
- Zoom leverages a range of encryption technologies to protect data in transit and at rest.
- Zoom utilizes security measures to support the ongoing confidentiality, integrity, availability, and resilience of our processing systems and services.
- Zoom takes measures to facilitate the restoration of availability and access to our processing systems and services promptly in the event of a physical or technical incident.
- Zoom implements a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to support the security of the data we process.
Specifically, the security measures Zoom uses to enable the security of communications sent over and stored on Zoom’s platform include the following:
- Optional End-to-End Encryption for Meetings: Users may choose to enable end-to-end encryption for Zoom Meetings. This provides a high level of security since no third party — including Zoom — has access to the meeting’s private keys.
- Default Encryption: The connection between a given device and Zoom is encrypted by default, using a mixture of TLS 1.2+ (Transport Layer Security), Advanced Encryption Standard 256-bit AES GCM encryption, and SRTP (Secure Real-time Transport Protocol). The precise methods used depend on whether a user leverages the Zoom client, a web browser, a third-party device or service, or the Zoom Phone product. For further information, please see our encryption whitepaper.
- Protections against unauthorized meeting participants: Zoom has implemented numerous safeguards and controls to prohibit unauthorized participants from joining meetings:
- Eleven digit unique meeting IDs
- Complex passwords
- Waiting Rooms with the ability to automatically admit participants from your domain name or another selected domain
- Lock Meeting feature that can prevent anyone from joining the meeting
- Ability to remove participants
- Authentication profiles that only allow entry to registered users, or restrict to specific email domains
- At-Risk Meeting Notifier tool can scan posts on public social media sites and other public online resources for Zoom Meeting links
- Selective meeting invitations: The host can selectively invite participants via email, IM, or SMS. This provides greater control over the distribution of the meeting access information. The host can also create the meeting to only allow members from a certain email domain to join.
- In-meeting security: During the meeting, Zoom delivers real-time, rich-media content securely to each participant within a Zoom Meeting. All content shared with the participants in a meeting is only a representation of the original data. This content is encoded and optimized for sharing using a secured implementation.
- Host controls: Meeting host controls can enable/disable participants from content sharing, chat, and renaming themselves.
- Reporting: Report a user feature enables the meeting host to flag problematic behavior.
- In-product security controls: Security controls with a dedicated Security icon on the main interface.
- Role-based user security: The following pre-meeting security capabilities are available to the meeting host:
- Secure log-in using standard username and password or SAML single sign-on
- Start a secured meeting with a passcode
- Schedule a secured meeting with a passcode
- Robocall prevention: Users can prevent robocalling with rate limiting, and reCAPTCHA (requires human intervention) enabled across all platforms.
Choices for data in transit and data at rest
Zoom understands that our customers may wish to have choices about the data centers that process their data in transit and at rest.
Data in transit, or data in motion, is data actively moving from one location to another, such as across the internet or through a private network. For data in transit, account holders and admins on paid accounts can opt-out of certain data center regions for hosting real-time meeting and webinar data in transit (see this help article). Zoom provides transparency into data routing via the account administration dashboard.
Data at rest is data that is not actively moving from device to device or network to network, such as data stored in a cloud data center. Customers may choose the data storage location for some of their customer content at rest.
“Customer Content” is all data, including text, sound, video, or image files, that a customer puts into the Zoom service for processing and uploads to Zoom’s cloud servers for storage or additional processing. For example, Customer Content may include video recordings, cloud recordings, transcripts, in-meeting chat, persistent chat, and files exchanged in-meeting.
If a customer uploads Customer Content to the Zoom cloud service, it is hosted on Amazon Web Services’s (“AWS”) global network. The data center hosting location applicable to each Zoom customer can vary if the organization uses our communication content storage feature. This storage location feature allows global teams to choose the region where certain types of data at rest are stored. Please note that certain categories of data are still processed in the U.S.
Strict protocols for responding to governmental requests for information
Zoom is committed to protecting our customers and users’ privacy and only produces user data to governments in response to valid and lawful requests, in accordance with our Government Requests Guide and relevant legal policies.
In all geographic areas:
- Government requests must be issued under applicable laws and regulations and through official channels, including requiring a signed official document or an email request sent from a government entity’s official email address.
- Each request must be explicit, not overly broad, and have a valid legal basis. We will reject or challenge requests that do not meet these requirements.
- We will apply additional scrutiny to certain government requests for user information based on our principles and interest in promoting successful collaboration worldwide.
If a request is too vague, Zoom will challenge the validity of the request to minimize the spectrum of information submitted.
Zoom typically notifies users of governmental requests for information, including a copy of the request received unless we are legally prohibited from notifying the user. Requests for exceptions to user notification must include a description of the exigent circumstances or notification’s potential adverse result.
- Transparency Reports: Zoom published its first report on the number of requests received from U.S. and international authorities in December 2020 (Government Request Transparency Report). We aim for each transparency report to improve on the previous one. Our most recent Transparency Report is available here. Additional Transparency Reports will be made available in the Zoom Trust Center.
- In-Product Notifications: Zoom is continuously updating to integrate feature-specific privacy notifications into the Zoom experience to help users understand, in context, who may be able to see and share the content and information they share on Zoom. For example, if a user wants to know who can see the messages they send in Zoom’s chat feature, they can go to “Who can see your messages?” to see who can access the messages they send to everyone, as well as the private messages they send.
Zoom designs its services with GDPR requirements at the forefront
Zoom is committed to making every effort to build product features that align with GDPR requirements and foster protection of the personal data processed through our services. For more information about our data practices, please see our Privacy Statement, or you can send an email to email@example.com if you have any GDPR-specific questions.