Introduction
Zoom is under fire because their new terms and conditions suggest that data subjects cannot choose whether or not their data is processed by the AI systems used by Zoom. In this blog, we will explore this issue and discuss what implications it may have for Zoom.
What did Zoom’s terms and conditions say?
In March 2023, Zoom added new clauses in its terms and conditions regarding consent to use customer data for things like AI model training. What caused controversy was the following rule included in these clauses:
“Notwithstanding the above, Zoom will not use audio, video or chat Customer content to train our artificial models without your consent. ”
This sentence suggests that users who enter into a contractual agreement with Zoom undertake to grant Zoom a very extensive right to process his/her personal data.
Zoom reserves through these new clauses a laundry list of rights with respect to Customer Data, including (but not limited to) publishing, sharing, redistributing, displaying and creating derivative works with such data. Zoom also grants itself a “perpetual, worldwide, non-exclusive, royalty-free” license to use customer data in seemingly any way it sees fit.
This very clearly goes against all possible privacy-related legal requirements that Zoom would have to meet to be applicable in the EU.
Zoom’s AI data collection and the GDPR
This could put Zoom in trouble under EU privacy rules, both under the terms of the GDPR and the ePrivacy Directive.
It’s pretty clear that this way Zoom does not meet the GDPR requirement that data subjects must give opt-in consent for this level of processing of their personal data.
ePrivacy Directive
The ePrivacy Directive can potentially be invoked by any individual EU country on the basis of eavesdropping, as the end user must consent to the way data is intercepted by third parties through the company’s AI data collection.
Previously, ePrivacy focused only on traditional telecom services, however, the law was amended in late 2020 through the European Electronic Communications Code to extend the confidentiality obligation to so-called over-the-top services such as Zoom.
Article 5 of this Directive provides that the interception, storage or other forms of interception or surveillance of communications and related traffic data by persons other than users is prohibited without the consent of the users concerned. This provision seems highly relevant in the present case.
Response from Zoom
These new terms and conditions drew a great deal of criticism and increasing complaints from customers. In response, Zoom recently made a small change to its General Terms and Conditions.
Indeed, Zoom now says it will not use audio, video or chat customer content as part of its AI data collection without user consent. It has published a further update on its blog with elements such as sticky notes, whiteboards, comments and calendars. However, this does not mean that all problems are solved.
Service Generated Data
However, Zoom still gives itself similar unfettered access to what is called “Service Generated Data.” In addition to telemetry and diagnostic information, this data category includes “product usage data” and “similar content or data” that could still very well apply to user uploads. This means that essentially nothing has changed.
Even if an opt-in system is provided, Zoom will reserve the right to execute this opt-in on behalf of each participant. Individuals would not have the ability to unsubscribe themselves or their own contributions to any collaboration already approved by a Zoom administrator.
Conclusion
Zoom has been sued several times in the past for data privacy issues and fraudulent marketing practices. For example, Zoom was already fined in 2021 after it shared user data with LinkedIn, Facebook and Google without consent or notice.
As for possible GDPR action against Zoom for their AI data collection practices, no actions have yet been taken. There is also some general confusion about exactly how that would play out. Zoom actually has an EU office in the Netherlands, but the Dutch data protection authority says it is not registered as a lead regulator. If the company does not have an EU office that meets the standard for a data controller, penalties may be imposed. One thing is certain, if Zoom does not take urgent steps, the Data Protection Authorities will undoubtedly be able to impose large fines on Zoom should a case be opened against them around their AI data collection practices.
