zlacker

Speaking of pinky promises:

> We will not use ... protected health information, to train our artificial intelligence models without your consent.

> We routinely enter into ... legally required business associate agreements (BAA) with our healthcare customers. Our practices and handling of ... protected healthcare data are controlled by these separate terms and applicable laws.

To my understanding there is nothing in the separate terms (BAA) or applicable laws (HIPAA) that actually guarantees this.

I don't want to assume malice but if in good faith I would have expected an updated BAA with an explicit declaration regarding data access and disclosure in a legally-binding fashion rather than a promissory blogpost vaguely referencing laws that don't themselves inherently restrict the use of PHI for training by Zoom.

It would really only require a single term.

replies(1): >>petese+Gj

>>halduj+(OP)
They have added:

> Notwithstanding the above, Zoom will not use audio, video or chat Customer Content to train our artificial intelligence models without your consent.

replies(3): >>Jare+nm >>halduj+3n >>dspill+h02

>>petese+Gj
Doesn't the TOS already count as consent?

replies(1): >>checky+IQ

>>petese+Gj
The BAA (https://explore.zoom.us/docs/en-us/baa.html) looks the same. Did you mean to the TOS (which is subject to change as has now happened twice)?

The BAA still states: Zoom shall not Use and/or Disclose the Protected Health Information except as otherwise limited in this Agreement ... for the proper management and administration of Zoom ... Zoom will only use the minimum necessary Protected Health information necessary for the proper management and administration of Zoom’s business specific purposes

As discussed in my comments on yesterday's post "proper management and administration" is vague language copied from HHS and can be construed as improving products as described in a legal analysis I quoted. I would also hazard a guess that a provider signing this agreement could be construed to have implied consent.

Nevertheless, it would not be hard to explicitly state that this does not include training models in the only truly legally binding agreement at play. An explicit declaration was also recommended in said legal analysis.

replies(1): >>robert+zu

>>halduj+3n
For me, that BAA doc flashes up and immediately redirects me to the homepage.

replies(1): >>halduj+fA

>>robert+zu
Strange, only seems to be happening to me on mobile.

This should work: https://web.archive.org/web/20230808072418/https://explore.z...

>>Jare+nm
That is where I am stuck.

Until the TOS clearly says otherwise, as far as I can see, the TOS at least implies this:

1. We will not use your data to train AI without your consent.

2. By accepting these TOS, you give your consent to everything in this long list (which includes training AI).

replies(1): >>mnw21c+i01

>>checky+IQ
In Europe/UK, it is established law that agreeing to TOS is not consent for everything in it, especially when referring to the use of personal data for things that aren't strictly necessary to do what the user has asked, and also especially given that in order for it to be consent freely given then there must be no difference in service depending on whether consent is given or not.

However, many companies reckon they'll get away with it, the enforcement is not universal and rapid, and I don't trust Zoom as far as I can throw it on this particular score.

>>petese+Gj
But the TOS says:

> You agree to grant and hereby grant Zoom a perpetual, worldwide, non-exclusive, … [rest already quoted several times in the thread]

so that promise to not do it without consent is meaningless as they have consent from anyone who has agreed to the ToS which anyone using the service/product has done.