End-to-end encryption: what it actually protects
Zoom offers optional end-to-end encryption (E2EE) for meetings. When enabled, meeting content is encrypted on each participant's device and decrypted only by other participants — Zoom's servers cannot access the meeting content. This is a genuine technical safeguard.
But E2EE has significant limitations. It is not enabled by default — administrators must turn it on and participants must opt in for each meeting. When E2EE is active, several features are disabled: cloud recording, live transcription, breakout rooms, polling, and meeting reactions. Most critically, if a meeting is cloud-recorded, E2EE cannot apply to that recording — the recording is stored on Zoom's US servers in a form Zoom can access.
For compliance purposes, E2EE protects live meeting content from a CLOUD Act order. But it does not protect: meeting metadata (who joined, when, how long), chat messages sent during meetings, cloud recordings, meeting transcriptions, or any data processed by Zoom's AI features. The metadata alone — which reveals who your organization meets with and how often — may constitute personal information under Canadian privacy law.
Zoom AI Companion and data processing
Zoom AI Companion provides meeting summarization, smart recording highlights, and chat assistance. These features require Zoom to process meeting content through AI models. Zoom has stated that it does not use customer content to train its AI models — but the processing itself occurs on Zoom's infrastructure, which is US-based.
When AI Companion processes a meeting involving Canadian participants, the meeting content transits through US infrastructure for AI analysis. For organizations subject to Law 25, this processing constitutes a cross-border transfer of any personal information discussed in the meeting. The transfer occurs regardless of whether the meeting used E2EE, because AI Companion and E2EE are mutually exclusive — you cannot use both simultaneously.
What data Zoom retains
Beyond meeting content, Zoom retains: participant names, email addresses, and join/leave times; device information and IP addresses; meeting duration and frequency data; chat logs from in-meeting and persistent chat; cloud recordings and transcripts; and calendar integration data including meeting titles and attendee lists.
For organizations using Zoom Phone, Zoom also retains call records, voicemail content, and SMS messages. All of this data is stored on US infrastructure and subject to US legal process.
The compliance position
Quebec organizations must produce a Transfer Impact Assessment for Zoom. The assessment should acknowledge the dual nature of Zoom's exposure: live meetings with E2EE enabled have meaningful content protection, but everything around the meeting — metadata, recordings, transcripts, AI processing, chat — remains fully exposed.
The practical recommendation for most organizations is: use Zoom, enable E2EE for sensitive meetings, disable AI Companion for meetings involving regulated personal information, avoid cloud recording of meetings with sensitive content, and document the assessment including the limitations of available safeguards.
Microsoft 365 (Teams) → · Slack → · Google Workspace (Meet) →
Zoom is operated by Zoom Video Communications Inc. (US-incorporated) and is subject to the CLOUD Act. BC public bodies were temporarily permitted to use Zoom during COVID-19 under a ministerial order. Under the permanent amended FIPPA framework, a privacy impact assessment is required if Zoom processes sensitive personal information. Read the full FIPPA SaaS compliance guide → · Download PIA template →