Data Blast: Zoom’s ads do you know the story?; Singapore, Europe and UK using phone data in Covid-19 crisis; and Indian Data Protection Act update

Zoom extracting personal data from conference calls to create targeted ads

As nationwide lockdowns have forced millions of businesses and their employees to rely on video conferencing app Zoom, privacy advocates have raised concern over its relationship with tracking-based advertisers.

American e-marketing journalist Doc Searls warned in a March blog post that Zoom has the right to extract data from user meetings, and works alongside advertising technology companies to use the extracted information to create targeted advertisements.

The personal information Zoom is entitled to extract and use includes names and addresses, as well as other identifying data including job titles, employers, device specifications and social media profiles. Most concerning, however, is the inclusion of ‘content contained in cloud recordings, instant messages, files and whiteboards shared on the app.’ The Zoom privacy policy indicates as much, defining personal data broadly to include meeting contents and contact details, and states that these data may be used to personalise ads.

Zoom offers both free and paid-for conference calling services, and has become vital to the functioning of businesses over the past month, seeing their stock soar as a result. However, their privacy policy caveats that ‘we do not allow marketing companies, advertisers, or anyone else to access personal data in exchange for payment … in our humble opinion, we don’t think most of our users would see us as selling their information, as that practice is commonly understood.’

WHO advocates tracking of people’s smartphone to ensure self-isolation

According to the World Health Organisation (WHO), tracking and limiting the movement of overseas travellers, and others suspected of carrying the Covid-19 coronavirus, has been vital in containing the pandemic.

Professor Marylouise McLaws, a WHO advisor, has stated that tracking has proved critical in flattening the growth curve of cases of infection, particularly in Singapore, South Korea and Taiwan.

In Singapore, individuals exposed to the virus have been required to self-isolate for 14 days, which is enforced by individuals enabling their phone location services and periodically clicking on a link sent by SMS message. The links report location to Singapore authorities, and the messages must be responded to quickly in order to prevent people from breaking isolation.

Professor McLaws explains that the data have shown that the majority of cases can be traced to international travellers, or those they have come into contact with, and that keeping those individuals away from the general population prevents the spread of the virus. As such, these tracking measures would be beneficial in containing the spread of the virus in other countries. Furthermore, the WHO believes that use of electronic monitoring is less likely to create wide-spread panic than other measures, such as follow-up visits by police.

Despite the benefits of using tracking data to combat the spread of the coronavirus, many governments have refused to do so. For example, the European Union has announced that the use of mobile phone data to track the virus is not legal under the ePrivacy Directive (which we cover in detail here).

UKICO ok’s use of anonymised phone data to track coronavirus spread

On March 28th, the ICO advised the government that the use of anonymised mobile phone tracking data in the fight against the coronavirus does not run afoul of data protection law.

When properly anonymised, such data is not considered personal data, and therefore is outside the authority of the Data Protection Act 2018 and the GDPR. In a statement on the ICO’s website, Deputy Commissioner Steve Wood explained that, ‘generalised location data trend analysis is helping to tackle the coronavirus crisis. Where this data is properly anonymised and aggregated, it does not fall under data protection law because no individual is identified. In these circumstances, privacy laws are not breached as long as the appropriate safeguards are in place.’

The UK government has been considering using anonymous usage and location data in order to create movement maps, which would allow government agencies to determine whether people are adhering to the lockdown rules and restrictions. The creation of such maps would also help the government discover congregation hot spots.

As outlined in our above story, several nations, including Singapore, Taiwan and Israel, are already using mobile phone location data to track those with Covid-19, or new international arrivals who are felt to be at higher risk of being carriers. The ICO opinion provides the UK government legal cover to deploy the technology in a similar manner, provided such data is properly anonymised, if it sees fit to do so.

However, many privacy groups and other countries have been critical of such measures. Privacy International has stated that any use of such data must be safeguarded by ‘extraordinary protections’ as the de-anonymization of such data is possible, and could lead to massive surveillance of people in the future. Furthermore, Australian Prime Minister Scott Morrison, in responding to a question about the ICO’s advice, has claimed that Australia would not adopt such measures, and will not ‘cut and paste measures from other places, which have completely different societies.’

Indian Data Protection Bill faces criticism

India’s proposed data protection law, the Personal Data Protection Bill (The Bill – previously covered here) is currently facing considerable criticism from privacy advocates, large companies and social media firms.

The Bill, which is presently under consideration by a joint Parliamentary Committee, is seen as problematic for a variety of reasons. Chief among these is that the law allows the Indian government to exempt itself from its requirements. The Bill permits any government agency to be granted exempt status for a multitude of ambiguous reasons, including for the prevention of incitement, breakdown of public order, in the interest of the sovereignty and integrity of the country, and to promote friendly relations with foreign states. The exemption process has no judicial oversight, nor is any independent organisation tasked with implementing the proposed law or overseeing compliance.

Business groups have also voiced their objection to the Bill, as it requires companies to keep sensitive personal information about users on servers based in India (an expensive requirement known as data localisation). Furthermore, they are concerned that the Bill’s proposed fines and associated costs are too high, particularly for small businesses, and that privacy protection may be compromised by government access.

Social media companies are also concerned the Bill’s requirement that ‘voluntary identification verification’ of users be made available will require a significant expenditure of resources.

It should be remembered that the Bill is yet to be adopted as law, and may still change in form. However, if passed into law it would become one of the world’s strongest pieces of data protection legislation, to the displeasure of privacy advocates and technology companies alike. We will be monitoring developments with this legislation closely going forward.