Zoom's AI Training Controversy, UK's Major Data Breaches, and India's Landmark Data Protection Bill 2023
By Robert Bateman and Privado.ai
This week’s Privacy Corner Newsletter tackles the following privacy questions:
Zoom’s AI-Training Policy Provokes Privacy Outrage
An update to Zoom’s terms of service hit the headlines this week, leading to concerns about how the company uses personal data to train its AI models.
Why were these terms of service so controversial?
The controversial provisions in Zoom’s terms of service agreement were Sections 10.2 and 10.4, which relate to how Zoom uses two different types of data:
What was Zoom doing with this data?
That’s a good question, but let’s come back to it.
For now, let’s look at what Zoom (ostensibly) had permission to do with these data types under its terms of service.
Section 10.2 stated that users “consent to Zoom’s access, use, collection, creation, modification, distribution, processing, sharing, maintenance, and storage of Service Generated Data for any purpose”, including “training and tuning of algorithms and models”.
Section 10.4 stated that Zoom had a “perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license” to use Customer Content for virtually any purpose, including those relating to “machine learning, artificial intelligence, training, (and) testing.”
So Zoom was training its AI models on people’s calls?
Zoom’s terms granted the company a license to use people’s call recordings, private chats, and practically any other data collected or generated by the platform for training its AI models—and virtually whatever else it felt like doing.
But the company denies that it ever used call or chat data for these purposes without opt-in consent.
“...our intention was to make sure that if we provided value-added services (such as a meeting recording), we would have the ability to do so without questions of usage rights,” said Zoom’s chief product officer in a blog post published on August 7, after the controversy arose.
“For AI, we do not use audio, video, or chat content for training our models without customer consent.”
So why did Zoom write its terms this way?
According to Zoom, it was an oversight.
“We had a process failure internally that we will fix,” claimed Zoom founder Eric S. Yuan on LinkedIn.
“...for AI, we do NOT use audio, video, screen share, or chat content for training our AI models without customer explicit consent,” Yuan reiterated.
“We will change our general terms of service, free trial terms of service and our product to reflect this decision very soon.”
So has Zoom fixed its terms?
Zoom added a line to its terms of service on Monday:
“Notwithstanding the above, Zoom will not use audio, video or chat Customer Content to train our artificial intelligence models without your consent,” the new terms of service agreement states.
What about other types of data?
While Zoom hurried to clarify its intended uses of Customer Content, the company has not backed down regarding Service Generated Data.
“We wanted to be transparent that we consider this to be our data,” said the CPO’s blog post. “We can use service generated data to make the user experience better for everyone on our platform.”
So while Zoom might not be using call and chat data for machine learning purposes without consent, the company still says it can train its algorithms on a very broad range of data, including the notoriously broad “telemetry data”, without consent.
(The terms purport of obtain “consent” for this, but it doesn’t meet the consent standards of most data protection and privacy laws).
Is that legal?
Even if we grant that Zoom does not use Customer Content for non-consensual purposes, there are still potential issues around Zoom’s use of telemetry and other Service Generated Data.
Under the ePrivacy Directive, versions of which are implemented in the national laws of every EU member state—plus Iceland, Liechtenstein, Norway, and the UK—any non-essential processing of data collected from people’s devices requires consent.
And even in the US, laws such as the Health Breach Notification Rule (HBNR) and the Health Insurance Portability and Accountability Act (HIPAA) have implications for how Zoom collects and discloses such data from certain users.
Zoom has stated that it complies with US health and education sector privacy laws.
“We routinely enter into student data protection agreements with our education customers and legally required business associate agreements (BAA) with our healthcare customers,” says the CPO.
But Zoom users in the health and education sectors should be aware that regulators are interpreting these laws very broadly, and have recently sanctioned several companies (such as BetterHelp, GoodRX, and Edmodo) for sharing device-generated data without consent.
India Passes Long-Awaited Digital Personal Data Protection Bill
The world’s largest democracy, India, has passed a comprehensive data protection law.
Finally!
Finally, after many years of drafts and back-and-forth, India has passed a comprehensive data protection law to replace its decades-old Information Technology Act and “SPDI Rules”.
Recommended by LinkedIn
The bill has changed substantially since the original Personal Data Protection Bill 2018 as various groups and committees weighed in on certain provisions.
How does the final law look?
First and foremost, it’s important to acknowledge that this tech-focused country of 1.4 billion people now has a comprehensive law providing data protection rights and enabling enforcement.
But despite compromises on some of the law’s more controversial provisions, there are still concerns about exemptions for government agencies and certain delegated powers.
For example, under Section 17(3), the Indian government can exempt certain data fiduciaries, “including startups”, from obligations around transparency and data principals’ rights.
Data principal? Data fiduciary?
Yes, the DPDPB uses “data principal” as an equivalent to the GDPR’s “data subject”. A “data fiduciary” amounts to a “data controller”. “Processors” are still “processors”.
There are some other similarities to the GDPR—but some very significant differences, too.
Like the GDPR, the DPDPB provides “grounds for processing personal data” (essentially the GDPR’s “lawful bases”).
But whereas the GDPR provides six lawful bases, the DPBPB only provides two: consent, and “certain legitimate uses”.
However—unlike the GDPR’s relatively flexible “legitimate interests” lawful basis, the DPBPB provides an exhaustive list of just nine “legitimate uses”, some of which are available only to state actors.
The DPBPB also introduces the concept of a “consent manager”: A data fiduciary’s single point of contact that enables the data principal to “give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform”.
And while the EU’s “adequacy” process has created a list of countries to which data can be freely transferred, India will operate on a “denylist” basis, with all international data transfers permitted by default—a sharp change in approach from earlier data localization proposals.
Sounds complicated
Correct. Companies operating in India will need to do some serious work to get to grips with the DPDPB before the bill takes effect.
GDPR compliance will not guarantee compliance with India’s new data protection regime
UK Electoral Commission and Northern Irish Police Service Announce Major Data Breaches
The UK’s Electoral Commission and the Police Service of Northern Ireland (PSNI) both announced significant data breaches on Tuesday.
So, first, what happened with the Electoral Commission?
The Electoral Commission “oversees elections and regulates political finance in the UK” and works to “promote public confidence in the democratic process and ensure its integrity”.
In October 2022, the Commission discovered that malicious actors had penetrated its servers the previous August, and had gained access to its “email”, “control systems”, and “copies of the electoral registers”.
The attack compromised personal data about almost every UK registered voter, including their names and addresses, plus any information received by the Commission via email, which could include phone numbers, email addresses, and anything else submitted via web forms.
That sounds pretty bad
Yes and no.
Much of the information in electoral registers is publicly available. However, access to the registers is tightly controlled. There are implications if a hostile actor got hold of even the publicly available electoral register.
Furthermore, some voters opt out of the public register. Data about those people was also compromised.
However, certain people vote anonymously due to privacy concerns. The Commission says that data about anonymous voters was not compromised.
What about the PSNI breach?
The PSNI breach appears to have resulted from “human error”. While the scope of the breach is much smaller, the consequences could be much more serious.
The PSNI responded to an unremarkable FOI inquiry requesting information about the number of officers at different ranks of the police service.
The PSNI shared the requested information via a spreadsheet published on a public database of FOI responses called WhatDoTheyKnow.
However, a second tab of the spreadsheet revealed the surname, initial, rank or grade, location, and departments of all current PSNI officers and civilian staff.
The FOI response was taken down from WhatDoTheyKnow within hours—but is “freely circulating on WhatsApp groups,” according to a former senior PSNI officer quoted by the Beflast Telegraph.
“It is in essence ‘out there’ and can never be retrieved,” the source said.
Why is that so bad?
Police in Northern Ireland operate in a highly-charged and politically sensitive environment.
While the worst days of the ethno-nationalist conflict known as “The Troubles” are over, police officers have been killed by paramilitary groups as recently as this February.
“As a serving police officer, my own family do not know what I do,” an anonymous officer told the Belfast Telegraph. “I have had to move house… I deleted social media accounts… now my full name and initials are widely available.”
“It's a complete disaster,” the source continued.
The UK’s data protection authority, the Information Commissioner’s Office (ICO), is investigating both incidents.
What We’re Reading
Here are some recommendations for the best privacy-related reading published this week.
Attorney, CPA, FIP, AIGP, CIPT, CIPM, CIPP E / US, Certified Privacy Engineer
1yRobert Bateman - I'm very curious why you refer to the ePrivacy Directive regarding Zoom ("Under the ePrivacy Directive, versions of which are implemented in the national laws of every EU member state—plus Iceland, Liechtenstein, Norway, and the UK—any non-essential processing of data collected from people’s devices requires consent"). ePrivacy is more of a complement to GDPR in the area of electronic communications and direct marketing (w/ most forms of such requiring opt-in consent, w/ exceptions for existing customers). I don't follow how 'direct marketing' applies here in this Zoom situation. And if utilizing ePrivacy, hasn't the hurdle of "consent" already been cleared, given that Users had to ostensibly "opt-in" to receive communications from Zoom to begin with?"