Return to search

Digital distansundervisning och GDPR : Särskilt om Zoom vid Sveriges universitet och högskolor efter Schrems II-målet / Distance learning and GDPR : Especially about Zoom at Swedish universities after the Shrems II case

The ongoing Covid-19 pandemic has led to society being forced to switch to a digital presence, where physical meetings have been replaced by digital ones. For universities, this has meant that teaching and examinations have taken place through a special installation of the video conferencing service Zoom. Zoom is offered in a so-called on-premises installation which largely runs on private servers or instance, in Denmark. NORDUnet and Sunet are the providers of the special installation which has been given the “Sunet E-meeting”. For the service to work, personal data is processed. This data includes names and e-mail addresses, but also meeting data, gathered by the camera and audio feed, and IP-addresses. All personal data should be processed on the private instance according to the service description. To connect to the service, various options are provided, including installing a client provided by Zoom on a computer or smartphone. Another way to connect that does not require any installation is through a web client, also provided by Zoom.  One of Sweden’s universities recently discovered that a student who joined the meeting via the web client was connected to a public Zoom data center in the United States. Through network analyzes and the study below, it turns out that the web client is a form of exception in the service where traffic does not go directly to the private cloud. Instead, the traffic goes via Zoom's public cloud where traffic is at risk of going to various data centers both outside and within the European Union. This study of the service is based on the data protection legislation. Questions concerning the division of roles and responsibilities between the data controller and the processor, security concerns, the use personal data, processing, and third-country transfers has been done.  Following the Schrems II judgment, where the European Court of Justice ruled that the United States does not have an adequate level of protection regarding the protection of individuals' personal data, the possibilities of transferring personal data to the country were limited. Determining whether the usage of the cloud service means that personal data is transferred to the United States or not is therefore of great importance. This study concludes that a third country transfer has occurred at least once, which is not compatible within the data protection regulation. The study also shows the importance of knowledge of the service being used both by the controller and processor to ensure correct processing of the data.

Identiferoai:union.ndltd.org:UPSALLA1/oai:DiVA.org:su-192552
Date January 2021
CreatorsAndersson Rosengren, Pontus
PublisherStockholms universitet, Juridiska institutionen
Source SetsDiVA Archive at Upsalla University
LanguageSwedish
Detected LanguageEnglish
TypeStudent thesis, info:eu-repo/semantics/bachelorThesis, text
Formatapplication/pdf
Rightsinfo:eu-repo/semantics/openAccess

Page generated in 0.002 seconds