How does GDPR impact pro AV and managed services?
Enforcement of the EU General Data Protection Regulation begins May 25. Tim Kridel explores how it affects pro AV, including the emerging device category of smart speakers.
Many European countries already have laws covering data privacy, security and ownership to one extent or another. The technologies and best practices that AV vendors and integrators have developed to comply with those laws will be helpful for accommodating the EU General Data Protection Regulation (GDPR), which will be enforced starting May 25.
Take the example of a managed videoconferencing service that includes archiving, indexing and transcription. Depending on where a particular client has offices, the service will need data location and residence capabilities.
“We’re seeing vendors add residency awareness to their platforms, which means if I’m supporting a client that’s headquartered in Frankfurt, they will automatically hit my Germany-based servers,” says Ira Weinstein, who recently left Wainhouse Research to launch Recon Research.
“But this isn’t perfect. When Germany is in a video call with London, where does the data sit? That’s a problem, and we don’t have it solved.”
That hasn’t prompted enterprises to avoid managed services, but time will tell whether the GDPR causes them to reassess the situation.
“As a hosted/managed service provider, we took the decision not to offer recording capabilities to our clients.”
“Nobody is saying, ‘No video calls because of this,’” Weinstein says, referring to the GDPR’s predecessors and cousins. “But they are saying: ‘We expect our vendors to provide a proper data residence plan. We expect to know where our data is. And if there is a violation, we want to know about it.’”
These concerns are a reason why some AV firms have limited the types of managed services they offer—even before the GDPR.
“As a hosted/managed service provider, we took the decision not to offer recording capabilities to our clients,” says David Willie, Saville Audio Visual head of marketing and product management.
“The decision to do this was made a number of years ago due to the extensive regulations around call recording and storage.
“Our clients understand the reasons we don’t offer this service and are actually pleased to hear it’s not within our portfolio of unified communications (UC) services. It gives them greater confidence that what is said during a meeting featuring live interaction and commercially sensitive video content is not at risk of being distributed either accidentally or maliciously by somebody within or outside the business.”
New opportunities and responsibilities
On the plus side, the GDPR could help drive adoption of managed services by providing legal clarity across the whole EU region. For example, suppose one conference participant is in the UK, another is in Germany and another is in France.
Does the GDPR mean the managed service provider has to store each participant’s data on a server in their respective countries?
“The GDPR is a regulation that will apply throughout Europe with mostly the same rules in each European jurisdiction,” says Sarah Delon-Bouquet, counsel at the Paris office of Bryan Cave, an international law firm. “This should facilitate data traffic in the EU.
“Data won’t need to be held in one EU country but in another EU country. The same rules will apply irrespective of the fact that participants are in different EU countries. If data are transferred outside the EU—for example, if the servers are not in the EU—protective measures will need to be implemented.”
Bottom line: The GDPR is something AV firms have to master if they want to stay or get into managed services.
“GDPR places increased emphasis on accountability,” says Martin Whitworth, IDC research director for European data security and privacy. “This means not just being responsible for and complying with GDPR obligations, but [also] being able to evidence and prove compliance. This applies to cloud service providers, managed service providers and other third parties.
“GDPR extends certain data protection law obligations and liabilities to apply to data processors, and managed service providers will be exposed to those obligations and liabilities in addition to their usual contractual obligations. This means increased risks for them.”
The GDPR uses the concept of “online identifiers” to define personal data. That can include things that seem more offline than on, such as a meeting participant’s employee ID badge or name on the title slide of her presentation.
“Online identifiers include IP addresses or radio frequency identification (RFID) tags, for example,” Delon-Bouquet says. “If the IP traffic involves transfers of data which relates to persons which can be identified (for example of IP addresses), then it would be subject to the GDPR.
“You have to look at what data is processed and if this data [can] identify a participant. A PowerPoint presentation may include the presenter’s name, for example.”
The D in GDPR stands for “data.” Videoconferencing and UC are data in the sense that they’re IP traffic. So does the GDPR cover anything and everything that’s IP traffic?
“Yes, the GDPR does cover anything and everything in that sense,” says Scott Giordano, Robert Half Legal director of consulting solutions. “I think the best way to approach this is to ask, ‘What elements of TCP/IP traffic either directly identify someone (e.g., the video of the person or the person’s name on the slide) or indirectly identify them (e.g., voice only or IP address)?’ Recital 30 of the GDPR is very instructive — and somewhat surprising in its scope — in that it considers ‘online identifiers’ to be personal data, that is, information ‘provided by [a data subject’s] devices, applications, tools and protocols,’ which could be many things.”
To appreciate how many surprises that scope could create, consider the impact of older data laws, such as those limiting what employers can collect about employees. For example, prior to making a dialler product available, Biamp Systems realised that it would have to ensure that end user information was not gathered and stored by the product that logged errors and events.
“It had user accounts on it, so therefore it was possible to know which user started and ended the call at what time,” says Chris Fitzsimmons, Biamp product manager. “That falls foul of at least a sibling of GDPR because in many European work environments, you’re not allowed to track what your employees do on the phone.
“If there was a meeting between Facebook and Cambridge Analytica in a room that had an Echo Dot in it, is the UK Information Commission within their right to subpoena that information?”“So there are a lot of unintended consequences. We never set out to be a data-storing product. It was meant to be a [troubleshooting] feature.”
The moral of this story is that vendors and integrators have to scrutinise even seemingly innocuous features and services to make sure they don’t knock themselves or their clients out of GDPR compliance.
“Anything with people’s names in it should immediately have big, red flashing lights above it,” Fitzsimmons says. “If I’m the AV manager at the customer, and I want to see how my Symphony system is looking, you’re providing username password credentials, probably the name and a photograph of the user. That is definitely [under] GDPR. It’s got a name, an identifiable photograph, there’s all kinds of personal information attached to that.”
The walls have ears
Vendors, integrators and their customers already have their hands full figuring out how the GDPR applies to traditional AV systems. Smart speakers such as Amazon Alexa [pictured above] and Google Home add to that challenge not only because they’re an additional type of device to consider, but also because of how they work.
For example, instead of presenters having to muddle through a conference room’s unfamiliar touchpanel, they could simply tell the smart speakers in the room to lower the shades or download their presentation. (For a deeper dive into why and how pro AV can use smart speakers, see “AI and AV: Rise of the machines”.)
To perform their tasks, smart speakers are constantly listening for “wake words” such as “Okay Google,” followed by instructions. The artificial intelligence (AI) that enables smart speakers to comprehend everyday language resides in the cloud. So does the machine learning (ML) that scrutinizes billions of utterances so the AI can continually improve its ability to understand people.
This approach creates a host of security and privacy concerns, starting with the obvious one of hackers commandeering smart speakers to eavesdrop on executive meetings. This possibility is one reason why some AV pros are sceptical that smart speakers will be widely adopted—at least not in their current form.
“GDPR extends certain data protection law obligations and liabilities to apply to data processors, and managed service providers will be exposed to those obligations and liabilities.”
“Alexa is a network device which connects out to a public cloud service via the public internet,” says Saville’s Willie. “It listens to every single significant or insignificant word spoken in the room. Every word.
“As a user, you have no control over what it listens to, what it reacts to, where it retains its requested vocabulary list [and] where its history of recently requested requests are stored.
More worrying is who has access to any of this externally. As cybersecurity concerns escalate on a daily basis, should we put this device as a central feature to a corporate board room? At this stage, my suggestion would be no.”
Other AV pros agree.
“No trading house, law firm, government institution, bank is going to touch this with a 20-foot pole,” Fitzsimmons says. “If there was a meeting between Facebook and Cambridge Analytica in a room that had an Echo Dot in it, is the UK Information Commission within their right to subpoena that information? This is a very large Pandora’s Box.”
And it’s already cracked open in some countries. For example, one US law enforcement agency subpoenaed Amazon for information collected by a smart speaker that was present where a murder occurred. There’s also the risk that a user’s smart speaker’s data could inadvertently get dragged into law enforcement’s hands simply because it’s stored on the same server as the one under investigation.
The GDPR could become a factor if the smart speaker is capturing personally identifiable information — a possibility that gets even more likely as more AI is applied in future versions. For example, tomorrow’s smart speakers could identify each participant in a meeting room by comparing what they hear to employee voiceprints, which are as unique as fingerprints. Data doesn’t get more personally identifiable than that.
A matter of trust
Now some hopeful news. These types of concerns could create opportunities for pro AV. For instance, conferencing vendors could develop smart speakers with customer-configurable features to ensure compliance with the GDPR and any other security/privacy laws. That could help convince businesses to pay a premium for pro-grade smart speakers rather than using cheap consumer models.
“There is opportunity for this level of control in meeting rooms, but I believe it will only be successful in corporate meeting environments if driven forward by professional systems manufacturers who can provide credible evidence of security controls,” says Saville’s Willie.
One example is Cisco’s Spark Assistant [pictured above in use on the Cisco Spark room dual], which went into beta in March.
“Our model is that you’re cueing it with, ‘Hey Spark, start my meeting’ or ‘Hey Spark, record the meeting,” says Angie Mistretta, Cisco director of collaboration endpoint technology marketing. “If it’s not hearing those wake words, then it’s not doing anything.
“It’s interesting that everyone is leaning forward on the [artificial] intelligence front, and everyone wants it. But I don’t think people talk about all of the downstream impacts of having these always-on features. There’s a ton of benefits of having them, but there is also a little bit of risk—depending on the provider. If you’re going with a consumer kind of thing, I wouldn’t trust that solution.”