Zoom alternative? Which video conferencing tools are GDPR compliant

When it comes to digital tools, you want to stay compliant. COVID-19 has not only changed the way we live, but also the way we work and communicate. In this context, few other tools have gained the same level of attention as quickly and as strongly as video conferencing.

From ‘Which video conferencing tool should we use?’ to ‘Which alternative to Zoom can we use?’, we have received numerous questions over the past several months. 

Zoom has been the subject of frequent criticism due to data protection issues. Luckily, there are alternatives to Zoom, and we're covering all the relevant data protection questions related to video conferencing. Here’s everything you need to know about compliant Zoom alternatives, including their advantages and disadvantages. 

What you need to know in a nutshell

  • There have been a number of data mishaps in recent years among the major video conferencing tools, especially with Zoom. Therefore, we strongly discourage the use of Zoom when it comes to data protection and privacy.
  • When looking for an alternative, it becomes clear that there is not one video conferencing tool that is perfectly suited to all users. The question is rather how and for what purpose you intend to use it.
  • When choosing a video conferencing tool, you should definitely keep in mind where the provider is based — ideally in the EU or in the European Economic Area.
  • We also recommend so-called on-premise solutions (aka ‘self-hosted’ solutions) where the video conferencing software runs on your own servers.

In this article

Does a perfect alternative to Zoom even exist?

The most important issue first: there is no such thing as the perfect alternative to Zoom. Which tool is optimally suited to your needs depends on your company and what you would like to use the software for. In other words, it all depends on the application.

What do you actually need Zoom and its alternatives for in the first place?

It makes quite a difference whether you need the software for internal meetings or perhaps for webinars. It is your specific application requirements that determine which functions a video conferencing tool must offer. 

Let’s take a look at the most common applications:

Application

Participants

Important functions

Internal meetings

e. g. two participants, the project team, the entire department, or the entire company

  • Screen sharing
  • Conference recording (only with permission!)

Webinars

one speaker and many (frequently external) participants

  • Chat
  • ‘Raising a hand’, e.g., to ask a question
  • Option of uploading to YouTube

Sales

sales staff and client(s), interested parties, or suppliers

  • Screen sharing
  • Scheduling

Job interviews

HR staff and applicants

  • Participation without downloading the software
  • Good audio and video quality
  • Stable connection

Other external meetings

e. g., club members, party delegates, doctors and patients during web appointments, judges and others involved in court proceedings, shareholders during the annual general meeting, committee members during meetings, etc.

Depending on the individual use case, e. g.,

  • Simple to use
  • Stable connection
  • Access by phone

Naturally, there are other factors that play a role in addition to the individual functions of the applications. These include the cost and user-friendliness of the tools, the stability of the connection, and the volume of data transferred. You also need to consider the use of the tool on a smartphone, as well as integrating it into existing software solutions.

Which providers offer video conferencing tools?

The list of providers is long — far too long to name them all here. However, the following selection will give you an impression of just how many providers there are on the market.

A selection of video conferencing tools: 

  • Zoom
  • Microsoft Teams
  • Skype and Skype for Business (both from Microsoft)
  • GoToMeeting
  • Cisco Webex Meetings
  • Blizz (from TeamViewer)
  • Demodesk
  • Join.me
  • Google Hangouts
  • Google Meet
  • Facebook Workplace
  • Cisco Jabber
  • Samepage
  • Adobe Connect
  • Zoho Meeting
  • Team Viewer
  • Jitsi Meet
  • RocketChat
  • Nextcloud Talk
  • Matrix

Which video conferencing tools are most frequently used?

The biggest and best-known video conferencing tools are all owned by US companies. These include:

  • Zoom from Zoom Video Communications
  • Microsoft Teams as well as Skype from Microsoft
  • Cisco Webex Meetings from Cisco
  • GoToMeeting from LogMeIn

video conferencing tools DataGuard

A simple Google search for UK-based video conferencing tools illustrates just how little known these are by comparison:

Google search in United Kingdom for video conferencing providers, source: Google Trends / DataGuard Analysis

Between February and the end of March 2020, there was a ten-fold increase in Google searches for video conferencing tools. Interest was still six times higher in May than back in February and Zoom is the clear favourite. In terms of user interest, Microsoft Teams and Webex were neck and neck, but well behind Zoom. 

Skype, on the other hand, started out strong, but has clearly lost users to Zoom. Blizz, the video conferencing solution by the German software firm TeamViewer, has remained largely unknown by comparison.

Since the start of the coronavirus pandemic, Zoom has seen a veritable explosion in user numbers — not just here, but worldwide: in December 2019, approximately 10 million people around the world were using Zoom every day. In April 2020, that figure had risen to 300 million — roughly thirty times higher than the December figure.

The rise in the number of users has, however, also resulted in a rise in the amount of criticism — particularly in relation to security gaps and data protection issues. While the providers of Zoom are now planning to act with the help of end-to-end encryption (which is generally considered to be the most private way of communicating on the web), the fact that these features are not part of Zoom’s default settings and the fact that there have been numerous data mishaps in the past do not shine a favourable light on the service.

Why is Zoom receiving so much criticism?

In the first few months of this year alone, there were some massive data protection problems at Zoom. Here are a few examples:

  • The registration data of more than 500,000 Zoom users has appeared on the Darknet. 
  • Researchers with the cyber security firm Check Point found that it was possible to listen in on meetings due to the way Zoom generates URLs for its meeting rooms.
  • In April 2020, a weakness with Zoom (keyword ‘Zoom Bombings’) allowed images of Adolf Hitler and Swastikas to be used to disrupt an event commemorating the victims of the Shoah at the Israeli embassy.
  • Pornographic images appeared during a Zoom lesson at a school in Freiburg (Germany).

At the same time, it is important to remember that Zoom is not the only company dealing with negative headlines. Even established companies can be affected. For example, Microsoft (though not specifically Microsoft Teams) suffered a serious breach of data security this year when 250 million data sets relating to Microsoft’s customer services, including chat messages, became openly available on the net and accessible to all users.

Why is data protection such an important issue in video conferences?

These examples show that it is important to consider data protection even during video conferences. Particularly when compared to telephone calls or telephone conferences, video conferences offer a much greater target area. Third parties listening in, unauthorised recordings by third parties and, of course, infringement of data protection law and other issues with the provider are among the greatest risks.

How is data protection handled with the various alternatives to Zoom?

In April 2020, the Berlin data protection authority expressed the view that, in addition to Zoom, Microsoft Teams and Skype could not be used in a data protection-compliant manner — an accusation that Microsoft rejected.

The Berlin data protection authority has not been the only authority to express its concern. The European Centre for Digital Rights (noyb) chaired by Max Schrems concluded that all the large providers’ privacy policies leave much to be desired.

Data transfers, retention periods, and data transparency are the three most important points mentioned in the privacy policy relating specifically to video conferencing. According to NYOB and DataGuard, none of the main providers are satisfactory in all of these three points, as the following evaluation specifically relating to the privacy policy illustrates.

 

DataGuard Traffic Light Legend
Information pursuant to Article 13 GDPR

zoom-video-conferencing-logo-7bde38062e4a0eaf7432215c95ccc38a

Zoom 

cisco-webex-meeting-logo-D0DCD6AED7-seeklogo.com

WebX

5e8ce5c0664eae000408546c

GoToMeeting

1280px-Skype_logo_(fully_transparent).svg

Skype 

1200px-Microsoft_Office_Teams_(2018–present).svg

MS Teams

Wire_software_logo.svg

Wire

Identity and contact details of the controller check-circle-07 2 Ellipse 2 Ellipse 2 check-circle-07 2 check-circle-07 2 Ellipse 2
Identity and contact details of the data protection officer check-circle-07 2 Group 11 Ellipse 2 Ellipse 2 Ellipse 2 check-circle-07 2
Purpose of the processing of personal data check-circle-07 2 check-circle-07 2 Ellipse 2 Ellipse 2 Ellipse 2 Ellipse 2
Lawfulness of processing Group 11 Group 11 Group 11 Ellipse 2 Ellipse 2 check-circle-07 2
In case of legitimate interest: what are the interests of the data controller or third parties? Group 11 _ Group 11 Ellipse 2 Ellipse 2 Ellipse 2
Interconnection: categories of personal data, purpose and legal basis Group 11 Ellipse 2 Ellipse 2 Group 11 Group 11 check-circle-07 2
Recipients or categories of recipients of personal data Group 11 Group 11 Group 11 Group 11 Group 11 Group 11
Data transfer outside the EU / EEA Group 11 check-circle-07 2 Ellipse 2 Group 11 Group 11 Group 11
Retention periods Group 11 check-circle-07 2 Group 11 Group 11 Group 11 check-circle-07 2
GDPR right to withdraw consent check-circle-07 2 Group 11 Ellipse 2 check-circle-07 2 Ellipse 2 check-circle-07 2
GDPR right to lodge a complaint check-circle-07 2 Group 11 check-circle-07 2 Ellipse 2 Ellipse 2 Group 11
Existence of automated decision making Ellipse 2 Ellipse 2 Ellipse 2 check-circle-07 2 check-circle-07 2 Ellipse 2

Evaluation of video conferencing providers’ privacy policies, source: Analysis by NYOB and DataGuard

As you can see, only Cisco manages to achieve two out of the three important points (specifically data transfers and retention periods). Nevertheless, the wording on data transfer in Cisco’s privacy policy still needs to be viewed critically. It states that Cisco may be able to share information with service providers, contractual partners, and third parties under certain circumstances. This could relate to aggregated statistics and pseudonymised data. 

A closer look reveals that the Cisco privacy policy contains quite vague wording that does not give the reader any certainty — a practice that the European Data Protection Board regards as bad.

What do you need to look out for when choosing your video conferencing tool?

The privacy policy is, of course, just the very first point of reference when it comes to finding an alternative to Zoom that is better from a data protection point of view. Here are some of the other questions you should be asking to be on the safe side when choosing a video conferencing tool:

Is the provider trustworthy?

To find a trustworthy provider, it is worth looking at what other customers’ experience has been. A provider that has been frequently criticised for breaching data protection law cannot be considered trustworthy.

Is the data safe and properly encrypted?

Ensure that audio, video, connection data, screen sharing as well as meta data are encrypted. Regarding the above-mentioned providers, Cisco Webex is the only one to offer effective encryption of media data, even in the free version.

Where is the provider based?

Preference should be given to those providers whose headquarters are in the EU or in the European Economic Area (i.e., the EU, Iceland, Liechtenstein, and Norway). Demodesk and TeamViewer, for instance, are based in Germany.

Which servers does the video conferencing software run on?

Ideally, the application should run on your own servers, not on the provider’s (watch out for the keywords ‘on-premise solutions’ and ‘self-hosted’). This applies to the niche products Jitsi Meet and Nextcloud Talk.

How easy is it to log on?

Clearly, it should not be possible for outsiders to easily join a video conference. A good sign here would be, for example, URLs that are not easy to guess.

Do I always have to conclude a Data Processing Agreement with a provider?

No. You can forego a Data Processing Agreement if the tool you choose runs on your own server — as is the case with Jitsi Meet or Nextcloud Talk. In all other cases, you should conclude a Data Processing agreement and pay particular attention to the following points:

  • The provider must not use personal data relating to your staff, clients, or suppliers for their own purposes.
  • There must be a clear justification, especially with providers based outside the EU and the European Economic Area, for data being transferred abroad.
  • Providers from the USA must have signed the Privacy Shield agreement to ensure data conformity (at least until the European Court of Justice has ruled on the ongoing case relating to this agreement).

Explore DataGuard's corporate compliance solutions for secure and GDPR-compliant video conferencing.

Which alternative to Zoom can be recommended?

The data protection authorities have recommended two providers of video conferencing services: Jitsi Meet and Nextcloud Talk. With these two providers, you are sure to be on the safe side when it comes to data protection. Their advantage is that they offer on-premise solutions. As such, the video conferences take place on your own servers and not on the provider’s.

In general, however, users must be willing to compromise.

compliant zoom alternatives dataguard

For instance, Jitsi Meet cannot always provide an optimal connection. And users have complained that video conferences involving larger numbers of participants do not always run smoothly with Nextcloud Talk. Cisco Webex Meetings, which is particularly good for larger staff meetings, and GoToMeeting, which is frequently used for webinars, on the other hand, work very well, but are based in the USA and therefore fail to score well in terms of data protection.

Are there any tools that are both user friendly and comply with data protection regulations?

User-friendliness and data protection frequently seem to rule each other out. And indeed, there is no provider to date who can fully convince in both areas as the chart below illustrates.

‘Execution power’, the first dimension according to which the tools are evaluated here, stands for a systematic evaluation of market penetration and customer satisfaction. ‘Data privacy’ involves a comprehensive analysis of data security. This is where data encryption, retention periods, data transfers, profiling, and data transparency are evaluated. The assessment also considered previous observations made by data regulators and any data mishaps that may have come to light.

These two dimensions allow the video conferencing tools and their providers to be divided into four groups:

  1. The ‘Secure Leaders’ are those providers whose tools convince both in terms of execution power and data security. However, this field has remained empty. The company that comes closest in this field is Cisco with their ‘Webex’ tool.
  2. There are the ‘Unsecure Leaders’ that offer good market penetration and user friendliness, but insufficient data protection. This is where all the other well-known providers and tools are to be found such as Zoom, MS Teams, Skype, and GoToMeeting.
  3. The ‘Secure Visionaries’ are those services that offer good data protection but have not yet been able to gain large-scale user acceptance. Among these are Jitsi, Nextcloud, Blizz, and Avaya Aura.
  4. Last, but not least, are the ’Niche Players’ that have neither achieved market penetration nor managed to convince with their data protection, such as Amazon Chime.

Data protection for video conference providers by quadrant — source: G2.com, GoogleTrends, noyb, DataGuard Analysis

What can I do as a user to ensure data protection for video conferences?

The video conferencing tool itself is, in the end, just one side of the coin. Of course, you as a user can also contribute to data protection by following these recommendations, among them:

  • Assign a new ID to each meeting. Be sure not to publish it on the web or on social media.
  • Use clear meeting IDs for each video conference — even if several meetings involving the same participants are planned.
  • If possible, use a password for each meeting. These can be used to further secure the connection from third party access.
  • Keep an eye on those participating in the meeting. If anybody you do not recognise turns up, be sure to ask their name and the reason for their participation. It is, of course, more difficult for organisers of meetings to keep an overview the more people that participate in the meeting. You also need to be particularly careful in video conferences that can be accessed by phone.
  • Should you wish to record a video conference — whether just the audio or the entire video — you will need to inform all the participants in advance. The participants must also be able to speak out against the recording without suffering any disadvantages and be able to leave the meeting.
  • You’ve probably already heard about phishing. You should, of course, also exercise caution when you receive a link inviting you to participate in a video conference by email or from social contacts. If in doubt, get in touch with the sender, and never open links or attachments from senders you do not know.
  • Only provide information that is actually relevant to the conversation. Close any windows you do not need and, if possible, only screen share specific programmes, tabs and other content itself rather than your entire desktop.

Don’t commit to a video conferencing tool too quickly

When choosing the best tool for video conferencing, you need to balance your business needs with data protection concerns. This can, however, make the decision-making process rather time consuming. When in doubt, speak to your company’s data protection officer. They are always a good person to speak to when it comes to putting solutions through their paces.

Sign up to our newsletter – Get practical tips and invitations to webinars and online Q&A session!

Subscribe now

                                                                                                                                                  

 

About the author

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk