Zoom litigation regarding a privacy issue

1. Outline of the litigation

In the spring of 2020, 14 class-action complaints were filed against Zoom Video Communications (“Zoom”) which were consolidated into a single class-action suit by the U.S. District Court for the Northern District of California in May 2020. The claims of the class-action are as follows:

• Zoom shared users’ personal data with third-party internet services such as Facebook, Google and LinkedIn? without any notice to users (the privacy issue); and
• Zoom did not take appropriate measures and allowed hackers to interrupt online meetings through so-called “Zoombombing,” (a phenomenon where outsiders hijack Zoom meetings and display offensive messages or images) (the security issue).

In August 2021, Zoom finally agrees to settle the lawsuit by paying a total of $85 million to users who have started using its application from March 30, 2016 to July 30, 2021. In detail, Zoom subscribers would be eligible to receive a 15 percent refund on their primary subscriptions or $25 — whichever is greater. Other users could receive a refund of up to $15.

2. Is this an appropriate solution for the issues?

(1) The deterrent effect of the $85 million payment

Generally speaking, $85 million is a large amount of money. It might seem to work as a deterrent against Zoom and other similar companies who treat customers’ personal information. However, thanks to the Covid-19, Zoom’s business has rapidly expanded. Only in the third quarter of the fiscal year 2022 (From August 1, 2021 to October 31, 2021, soon after the settlement of the aforementioned litigation), its revenue was total $1,050.8 million and even the net income attributable to common stockholders was $340.3 million. Thus, the payment of $85 million is unlikely to cause a serious impact on Zoom. While, of course, this litigation has a considerable impact on Zoom’s reputation, it does not effectively work as a deterrent against future privacy and security issues.

(2) The nature of damage caused by personal information leakage

In addition, as stated above, the amount each Zoom user suffering a data breach and security breach can receive is very small (only $15, $25 or 15% of subscription). Moreover, once personal information is leaked, such information may be diffused without limitation. It is not impractical to stop such diffusion or identify all receivers of such information and have them delete it. It is impossible to calculate the amount of damages people whose personal information is leaked suffered. In other words, such damages are not recoverable by monetary payment. Therefore, the regulations on personal information protection must be strict. In order to have companies who treat a lot of users’ personal information comply with such regulations, serious sanctions should be imposed by administrators (e.g. a great amount of surcharge, suspension of business), separately from civil litigation.

3. Is Zoom the only one to be held accountable?

Demand for Zoom and other similar online meeting services has greatly exploded during the Covid-19 pandemic. Many companies instructed their employees to conduct meetings via Zoom that had traditionally been conducted in person. Many schools stopped offering in-person classes and switched to Zoom classes. Those employees and students did not download Zoom application and create their Zoom account of their own will. They had no other choice but to start using Zoom application because without using it, they could not work in their company or they could not attend a class and graduate from their school. As a result of instruction by their employer or school, their personal information was shared with third-party internet services such as Facebook against their will.

As stated above, the damage arising from the leakage of personal information is unable to be compensated by monetary payment by its nature. The government, companies, schools and any other entities which have constituent members must understand that, in this information society, new technologies usually entail security and privacy risks. They must also understand that those who will be exposed to such risks by the introduction of the new technologies are not the entities themselves but their constituent members. Therefore, even if a certain new technology is very convenient and seems to have a great positive impact on their business, such entities should carefully consider the privacy and security risks arising from the service and investigate whether the service provider takes appropriate protection measures. If they neglect such considerations and investigations before enforcing their employers or students to use new technologies and as a result have them expose security and privacy risks, such entities should be held accountable. The data privacy regulations should take such entities’ responsibility and obligations into account.

---

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

• #Set ALLOWTOPICVIEW = TWikiAdminGroup, RisakoSuzuki
• #Set DENYTOPICVIEW = TWikiGuest

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.