Zoom fiasco highlights need for data protection law

There has been a whole lot going on at Zoom. The video conference app has been a major beneficiary from the lockdowns imposed due to the coronavirus, as humanity participates in its largest-ever home based experiment. Therefore, Zoom’s shares have doubled in value in under six months. All isn't well though, the business has been fraught with privacy issues recently. For instance, the Electronic Frontier Foundation (EFF) remarked that hosts of Zoom meetings can see if the participants are attending to based on whether or not the Zoom window is active on the screens.

Zoom may likely make the argument that the ability to have the ability to check whether people are active on a team call is an attribute, not an instrument meant to cause harm. Which is one method to look at things. But as well, that's not the only slip up when it comes to privacy the company has been embroiled in earlier this month. VICE reported that Zoom’s iOS iphone app sends user data to Facebook whether or not there is no need a Facebook account. Zoom notifies Facebook when an individual opens the app, shares information regarding the user’s device, like the model, time zone, city, phone carrier, and the unique advertiser identifier (a unique number created by user devices which are then used to focus on ads).

Zoom’s privacy policy isn't explicit relating to this data collection and there's a blame game to be played here. Facebook could make the argument that it needs developers (like Zoom) using Facebook’s SDKs and Pixels to be transparent about the info they are collecting, using and sharing. Zoom can and has argued that Facebook was collecting unnecessary device data. We must talk about all this because apps like Zoom and Houseparty aren't going anywhere.

Instead, this incident is a fantastic teacher for how policy and protections work in the data protection space. Firstly, it highlights the need and urgency for India (and other countries) to get a data protection law. These are exactly the sort of offenses a data protection law is meant to penalise. In an excellent world, had there been a data protection law in place here, Zoom likely would have had to adhere to a typical of explicit consent. This way, the user would have recognized what data was being shared. Had Zoom not adhered to the guidelines of consent, it could experienced to pay a penalty. The info being distributed to Facebook could have come under ambits of personal data, personal sensitive data and non-personal data, requiring different degrees of protection and liability.

The fact that none of the protections afforded by a privacy law are set up yet means the only protections users have are those given to them by companies whose objective is to maximise shareholder value. Generally maximising shareholder value comes at a cost of trampling on user rights. Most companies will be more than happy to make this trade-off and would ideally wish to accomplish it when there isn’t a data protection law set up.

At this point, it is hard to state whether a data protection regulation is going to be a definitive solution to incidents like these. Broadly because there isn’t a whole lot of precedence to learn from yet. Arguably the most significant existing legislation in this space may be the General Data Protection Regulation (GDPR) in the EU. The law was enforced in-may 2018 and an assessment of how its implementation has fared arrives by the Commission sometime this season.

There is every chance that the Personal Data Protection regulation that India ends up adopting won't fix everything in terms of abuses of power that have a vacuum in the info protection space. It will be hard to implement clauses and penalties on every website on the web also to track data flow at scale.  However, as any policy analyst worth their salt will let you know, change happens at the margins.

In the bigger picture, Zoom sharing data with Facebook without explicit notice is an indicator that's reflective of a deeper issue of accountability within the info protection space. There are no laws, and when laws do exist, they are near impossible to impose and monitor. This will serve as a high-profile warning sign of practices that currently exist and so are going to continue until regulation exists.