> We will not use ... protected health information, to train our artificial intelligence models without your consent.
> We routinely enter into ... legally required business associate agreements (BAA) with our healthcare customers. Our practices and handling of ... protected healthcare data are controlled by these separate terms and applicable laws.
To my understanding there is nothing in the separate terms (BAA) or applicable laws (HIPAA) that actually guarantees this.
I don't want to assume malice but if in good faith I would have expected an updated BAA with an explicit declaration regarding data access and disclosure in a legally-binding fashion rather than a promissory blogpost vaguely referencing laws that don't themselves inherently restrict the use of PHI for training by Zoom.
> You agree to grant and hereby grant Zoom a perpetual, worldwide, non-exclusive, … [rest already quoted several times in the thread]
so that promise to not do it without consent is meaningless as they have consent from anyone who has agreed to the ToS which anyone using the service/product has done.
The BAA still states: Zoom shall not Use and/or Disclose the Protected Health Information except as otherwise limited in this Agreement ... for the proper management and administration of Zoom ... Zoom will only use the minimum necessary Protected Health information necessary for the proper management and administration of Zoom’s business specific purposes
As discussed in my comments on yesterday's post "proper management and administration" is vague language copied from HHS and can be construed as improving products as described in a legal analysis I quoted. I would also hazard a guess that a provider signing this agreement could be construed to have implied consent.
Nevertheless, it would not be hard to explicitly state that this does not include training models in the only truly legally binding agreement at play. An explicit declaration was also recommended in said legal analysis.
In Europe/UK, it is established law that agreeing to TOS is not consent for everything in it, especially when referring to the use of personal data for things that aren't strictly necessary to do what the user has asked, and also especially given that in order for it to be consent freely given then there must be no difference in service depending on whether consent is given or not.
However, many companies reckon they'll get away with it, the enforcement is not universal and rapid, and I don't trust Zoom as far as I can throw it on this particular score.
> We will not use ... protected health information, to train our artificial intelligence models without your consent.
> We routinely enter into ... legally required business associate agreements (BAA) with our healthcare customers. Our practices and handling of ... protected healthcare data are controlled by these separate terms and applicable laws.
To my understanding there is nothing in the separate terms (BAA) or applicable laws (HIPAA) that actually guarantees this.
I don't want to assume malice but if in good faith I would have expected an updated BAA with an explicit declaration regarding data access and disclosure in a legally-binding fashion rather than a promissory blogpost vaguely referencing laws that don't themselves inherently restrict the use of PHI for training by Zoom.
It would really only require a single term.