Video conference systems like Microsoft Teams or Zoom are booming thanks to Corona. This also puts them in the focus of the data protection supervisory authorities. The Berlin supervisory authority has now published the results (PDF) of its short review of video conference services, which focused primarily on the design of the order processing contracts. The conclusion: According to the authority, hardly any of the audited video conference services can be used in compliance with data protection. For Microsoft Teams in particular, the agency has identified numerous shortcomings in Microsoft’s order processing contract.
Microsoft Teams is an integral part of Microsoft 365 (formerly Office 365) and is subject to its provisions regarding online services terms and data processing agreement (DPA). As a result, according to the authority, it is currently not possible to use the cloud-based versions of Word, PowerPoint and other products as well as Microsoft Azure in a legally compliant manner.
- Google Meet
Google Meet enables web-based video and conference calls. In the free version available from May, the service allows conferences with up to 100 participants with a maximum duration of 60 minutes – but this restriction will only come into effect from October 2020. Like most Google services, Meet is designed for Google Chrome and other Chromium-based browsers and works here without plugins. Mobile applications for Android and iOS are also available.
- Facebook Messenger Rooms
With Messenger Rooms, users can set up a conference room directly from Messenger or Facebook and invite up to 20 – later 50 – participants to a video call – even if they do not have a Facebook account. There is no time limit. Participation is possible via smartphone or PC via the browser and, according to Facebook, does not require any downloads. However, users of the Messenger app have access to various AR effects (e.g. rabbit ears) and new AI-supported functions such as immersive 360-degree backgrounds and atmospheric lighting.
As the most well-known VoIP service, Sype also offers a range of video chat and video conference functions. Microsoft has replaced Skype for Business with the Teams platform.
The successor to Lync and Skype for Business is not a standalone product, but part of the Microsoft Office 365 Suite. However, Teams is available free of charge and is suitable for small businesses with up to 300 members. Guest access as well as individual and group video calls, screen sharing are also on board.
- Google Duo
Google Duo is designed as a free video telephony tool primarily for home users. The maximum number of participants in the Android and iOS app has only recently been increased from eight to twelve people and is expected to increase further according to Google. Duo is available as a web application for PC, Mac and Chromebook as well as a mobile app for Android and iOS devices.
- Jitsi Meet
Jitsi Meet is an easy-to-use solution for video conferencing that still offers many functions. The free solution is based on the open WebRTC standard and can be used on the PC directly and without registration in the browser (Chrome). Apps (Android, iOS) are available for smartphones and tablets.
The Norwegian service Whereby (formerly appear.in) is free of charge for video conferences with up to four participants. . The solution is WebRTC-based, which means that guests can easily connect via the browser without registration. Apps for Android and iOS are optionally available.
After registration, the free Tinychat offers the opportunity to quickly and easily open a new video conference. All you have to do is create a new “room” and send the generated URL to the conference participants.
Lifesize offers free licenses to companies affected by the coronavirus epidemic for a period of six months. Meetings and call duration are unlimited – the Lifesize solution is available for desktops as well as for mobile devices.
Zoom positions itself as one of the leading providers of video conferencing. The tool is primarily characterized by its ease of use and an attractive freemium offer: video conferences with up to 100 participants are already possible with the free version.
LogMeIn completely redesigned its video conference software GoToMeeting at the end of 2019 and implemented new functions. Among other things, the solution now works in the browser via WebRTC as well as via desktop and mobile apps. The subscription plans start at 10.75 euros per month and host for the professional version.
Cisco will continue to offer WebEx free of charge as part of the corona virus pandemic. Unlimited meetings with up to 100 participants, HD video, audio dial-in, personal conference room, screen sharing on desktop and mobile devices, as well as 1GB cloud storage and recordings are included.
In a statement from Microsoft on the verdict of the data protection officers, the group clearly contradicts the authority. Microsoft is convinced that the products in general and Microsoft teams in particular can be used in compliance with data protection. Microsoft goes into the individual criticisms in detail. In particular, the shortcomings in the order processing contract are mainly due to translation errors. Microsoft also criticized that the authority had not dealt with the information provided by Microsoft and had therefore come to the wrong result. At the same time, Microsoft seems to insist on its own assessment and does not want to improve the points criticized by the supervisory authority.
In the end, the Microsoft customer bears the risk in this dispute. He is responsible under data protection law if the order processing contract does not meet the legal requirements. The customer will probably not be able to provide sufficient evidence of data protection compliance.
In parallel to the Berlin supervisory authority, the European data protection officer also checked Microsoft products and services that are used by EU institutions. He has now published the result in an almost 30-page report (PDF), which is also interesting for companies. He essentially
criticizes the following five points:
Independent processing by Microsoft: Microsoft reserves the right to change and define the parameters of order processing and their contractual obligations according to its own provisions for online services. Hereby Microsoft inappropriately leaves the role as processor and becomes the person responsible.
Lack of control over subcontractors: Microsoft customers have no control over who is used as a subcontractor in relation to order processing, and there are no corresponding inspection rights vis-à-vis the subcontractors.
International data transfer: Microsoft customers could not fully understand where their own data is stored. This is associated with the risk of unlawful disclosure of the data. In some cases, there are also no suitable guarantees that ensure international data transfer in compliance with the GDPR.
Data collection by Microsoft (diagnostic data): Because the cloud products sometimes collect data independently and transmit them to Microsoft, the necessary transparency of the services is lacking. The Dutch Ministry of Justice and Security also found this out last year as part of its data protection impact assessment for Microsoft Office 365.
Non-transparent processing: There is insufficient clarity about the type, scope and purpose of the processing and about the risks for the data subjects. This means that customers could not fully meet their transparency obligations towards those affected.
For these points, the data protection officer gave the European institutions recommendations for action and solutions in order to eliminate them. Certain defects could be remedied by configuring the products accordingly. Others should be negotiated with Microsoft.
So what can Microsoft customers do? It would be possible to do without using Microsoft products. However, this is a very theoretical solution, because Microsoft products are the market standard in many cases. Alternatively, Microsoft customers can try to make adjustments to Microsoft’s contractual terms. To what extent there is room for negotiation for the majority of customers with regard to the design of the contractual basis is questionable. However, this option only exists if the respective customer has sufficient market power to be able to negotiate adjustments with Microsoft.
As a further option, the customer could try to make another legal basis for the data transfer to Microsoft fruitful instead of order processing. However, this amounts to a case-by-case examination, which in practice will hardly be possible. After all, the customer can take legal action on behalf of Microsoft. Then it will be seen whether the points raised by Microsoft convince a court.
The assessment of the Berlin data protection authority and the European data protection officer may be factually correct. In fact, this knowledge does not help the individual company. How companies can behave in order to implement the requirements of the GDPR remains completely open. Hopefully, Microsoft will make adjustments to the terms of the contract and quickly resolve the criticized points. Until then, in order to act as far as possible in compliance with data protection, companies should in any case observe the points listed in this checklist when using Microsoft 365. (sb)