The Search for a GDPR Compliant Webinar Platform

Published on 2021-09-24
#gdpr #webinar
undefined
Credit: Tiia Monto, CC BY-SA 3.0 via Wikimedia Commons

So, the Swedish consulting firm I work at - Factor 10 - are hosting a webinar about GDPR compliance. The basic premise is that a lot of people (and companies) assume that it's legal to use services from American providers (such as Amazon Web Services, Microsoft OneDrive, or Google Workspace) if they just store data about EU citizens in the EU and the service provider says they're GDPR compliant. This is not the case.

So, of course we're going to host that webinar on Zoom like we've always done, right?

Maybe not, so let's take a moment and write down a few reasonable requirements for our new webinar platform:

  1. GDPR compliant
  2. Recording of webinars
  3. Multiple speakers
  4. Up to 200 attendees
  5. No registration for attendees (i.e. we don't want your email address)

Let's dig a bit deeper into the first requirement: GDPR compliance. By this I mean that any company involved in providing the webinar needs to follow GDPR as well as be based in Europe or any of the countries on the list of recognized countries that provide adequate data protection.

To take the US as an example and show why it is important to be on that list (the US is not), I refer to the following quote from this assessment from the EU Data Protection Board:

The US CLOUD Act thus states an extraterritorial reach of powers under the US Stored Communication Act. Therefore, service providers controlling personal data whose processing is subject to the GDPR or other EU or Member States’ law will be susceptible to facing a conflict of laws between US law and the GDPR and other applicable EU or national law of the Member States.

You can read about the US CLOUD Act here, you can also search for articles on the Schrems II ruling or FISA 702 if you're interested in digging a bit deeper.

Basically US federal law enforcement can demand data from any American company regardless of where it is stored - i.e. the FBI can compel Google to hand over all data stored in IKEA's GCP account, regardless of which regions IKEA are using.

This would not directly mean that IKEA is breaching the GDPR; Google would be the ones who unlawfully transfer data outside the EU. However, the GDPR also states that when choosing service providers (or processors as they're called) you must make sure that the service provider will uphold their part of the GDPR. When it comes to the US and their CLOUD Act this is not something that we can guarantee. The same goes for countries with similar laws. I'm not a privacy law expert so will be deferring to those that are, which means that if you or any of your service providers aren't on the list you're out.

(If you take issue with my interpretation of the situation, you can read this as a quest for the most European webinar platform we can find. Cool? Good, let's go on.)

This means that anyone who uses the big three cloud providers: Amazon Web Services, Microsoft Azure, and Google Cloud Platform is out. As you will see below, this complicates things quite a bit.

Let's Ask the Internet

I found a list here of the 10 best webinar software platforms in 2021. If that link is dead, no worries, I'll go through the list below and see how they match up against our requirements.

1. Demio

Demio is run by Demio Holding, Inc. Being run by an American company immediately disqualifies it for us, so there's no need to look at their actual product.

2. Livestorm

The description of Livestorm says that it's based in France and that they're GDPR compliant so this looks promising. Visiting their site shows a contact address in Woburn, Massachusetts however and their footer says that the copyright belongs to Livestorm, Inc.

Their Legal Notice however says that the platform is "published by" Livestorm SAS in France. It also reveals that they are using AWS, which means that all data goes through an American company, which means that Livestorm is disqualified.

3. Ever Webinar

Ever Webinar is run by Genesis Digital LLC out of Las Vegas, Nevada, United States and as such isn't GDPR compliant.

4. WebinarJam

WebinarJam is run by the same company as Ever Webinar (Genesis Digital LLC) and as such isn't GDPR compliant either.

5. Webinar Ninja

Webinar Ninja is run by Team ON PTY Ltd. based in Sydney, Australia. Australia is unfortunately not on the list, so it's probably not OK to use. Regardless of that, their privacy policy says that their servers are located in the US so even if Australia would be OK, the US is not so Webinar Ninja is out.

6. WebEx

WebEx is made by Cisco WebEx, which is owned by Cisco Systems, Inc. - which I'm sure you've heard of. Since Cisco is an American company, WebEx is disqualified.

7. GetResponse

GetResponse is a Polish email marketing platform that apparently also has webinar support. Being Polish, they aren't immediately disqualified and reading their privacy policy reveals the following tidbit:

Recipients who we transfer the data to are based mainly in Poland and other countries of the European Economic Area (EEA), e.g., France. Some of them are based outside of the EEA. We’ve made sure that our service providers guarantee a high level of personal data protection. We comply with the applicable data protection laws and GetResponse confirms that the conditions set in the GDPR are met.

"Mainly" isn't good enough for us since we need to be certain that no data ends up where it shouldn't. I never bothered to investigate this further because they wanted me to enter my physical address and phone number when I tried to sign up - and I'm not cool with that.

8. ClickMeeting

ClickMeeting is actually the most interesting platform on this list. They're a Polish company and are very transparent with what services they're using.

Looking here we can see that they're using GetResponse for email marketing, and OVH Cloud (a French cloud provider, which at the moment of writing is actually hosting this blog) and AWS for hosting.

I saw a list of supported regions somewhere when I investigated them and it seems that you can select a region served by OVH Cloud for your account which would land them in "not sure" territory (since we can't know for sure if any of our data do pass through AWS regardless of server choice), which sadly isn't good enough.

9. Livestream

Livestream is a webinar platform owned by Vimeo Inc. which is an American company.

10. Webinars On Air

Seems to have disappeared so I'm not sure if this list really was for 2021. Visiting www.webinarsonair.com makes Firefox throw up a warning about the SSL certificate not being valid for that host and searching for them only returns other sites mentioning them.

They were probably American anyways.

There Must Be Others

So, that didn't bear any fruit. Can we come up with some alternatives ourselves?

The obvious Zoom competitors Microsoft Teams and Google Meet are American companies so aren't GDPR compliant. That leaves non-american companies then of which I came up with two: Zoho and a Swedish cloud provider we're already using named City Cloud.

11. Zoho

Zoho is an Indian company that provides more services than you can dream up. They probably have an alternative to whatever other app you're using and their offerings seem decent, albeit navigating them can be a bit messy.

Unfortunately India isn't on the list, so we can't be sure if using services from Indian companies is OK. I also could not find any way of disabling email registration for attendees when I tried it out - you have to enter your email address to get an email containing the link to the actual webinar.

Because of both of the above, Zoho is out.

12. City Cloud

City Cloud is a Swedish cloud provider that runs OpenStack. They also have a few additional offerings and among those is video meetings. Being Swedish with their own servers is great - the GDPR is happy. Unfortunately they state on their product page that they only support up to 70 attendees which isn't enough for us.

Is This the End?

So, that's 15 platforms (counting Google Meet, MS Teams and Zoom) that don't fit our requirements. Are there any other alternatives?

Sure, hang tight while I author the next post where I will explore two open source options (BigBlueButton and Jitsi Meet), looking at both self-hosting and any SaaS offerings I can find. Rest assured, there is some hope!