The Covid-19 crisis is putting a lot of pressure on organizations to enable remote working and collaboration. The ease of deploying cloud solutions means this is a route often taken, but it comes with significant data protection risks. The Data Protection Officer of the German state Baden-Württemberg recently published an analysis of these challenges and recommends the use of ‘on-premises’ solutions over software-as-a-service solutions.
The analysis points out that when a choice for a solution is made:
care should be taken to ensure that the provider neither evaluates metadata (who communicated with whom and when) nor evaluates the content data of the communication for its own purposes or passes it on to third parties.
There are options:
There are numerous solutions based on open source software (e.g. Nextcloud Talk, Jitsi Meet, RocketChat or Matrix) that can be used in accordance with data protection principles.
They warn that it’s been shown that especially mobile apps sometimes reach out to their makers, or even third parties (like Zoom which was recently shown to share user data with Facebook, irrespective of the user having a Facebook account) and this is a risk a Data Protection Officer needs to be aware off. You are, as organization, responsible for where the data of your users ends up and pushing them to a solution with terrible terms of service is legally risky.
There is a number of other tips including on the use of video chat, and we recommend German readers the entire recommendation.