Here is what I understand, AI which needs the "data" and MS Teams Meeting Recording of Video/Audio/Transcript/Images/Photos is a "data" which Co-Pilot processes.
However to ensure GDPR, Privacy UK/EU laws are complied with IF an organizer of the meeting which was recorded - want to share the recording with a non-invited attendee - than an explicit permission to allow sharing is required. Hence when you as an attendee try to share the recording with someone who was not part of that meeting and if you try to share - it blocks you BUT the organizer can share it, download it, since the recorded file is in their OneDrive and they can easily share it without any attendees of that meeting knowing about it.
It's always important that a written explicit permission AND a context is provided behind the intensions to share to someone outside that meeting are requested. If no consent is taken and the recordings are shared outside of the attendees knowledge than (Caveat: Although I am not a solicitor or an expert of GDPR laws) it may have issues and may not be compliant with GDPR UK/EU laws (Best to check with a GDPR expert).
In summary, sharing a Teams recording outside of the intended attendees can be a GDPR issue, but it's not automatically illegal. The key is to ensure that all data processing activities are lawful, fair, transparent, and proportionate, and that participants are informed and have the right to object to the processing, if necessary.
References: Consent:
While not always explicitly required, obtaining consent from participants for recording and sharing the recording outside of the meeting attendees is a good practice, especially if the recording contains sensitive personal data AND there is a risk if the sharer (organizer) of that meeting takes the sharing intensions out of context which risks bias, defenseless position of other attendees due to no knowledge of their recording have been shared without them being able to prepare and had given no consent whatsoever.
Purpose:
The purpose for which the recording is made and shared must be legitimate and clearly communicated to participants.
Transparency:
Participants should be informed about the recording and its potential sharing.
Data Minimization:
Only share the recording with individuals who genuinely need access to it, and for the specific purpose for which it was shared.
Security:
Ensure that the recording is stored and shared securely, preventing unauthorized access or disclosure.
Retention:
The recording should be kept for no longer than necessary for the stated purpose and then deleted appropriately.
Practical Implications:
- Internal Sharing: Sharing with internal employees who need to know the information (e.g., supervisors, team members) for legitimate business reasons is generally permissible, provided they have a legitimate need to access the recording. External Sharing:
Sharing with external individuals (e.g., clients, partners) may be problematic under GDPR unless they have explicitly consented to be recorded and the recording is shared for a legitimate purpose.
Consent: While not always explicitly required, obtaining consent from participants for recording and sharing the recording outside of the meeting attendees is a good practice, especially if the recording contains sensitive personal data.
The purpose for which the recording is made and shared must be legitimate and clearly communicated to participants.
**Transparency:**
Participants should be informed about the recording and its potential sharing.
**Data Minimization:**
Only share the recording with individuals who genuinely need access to it, and for the specific purpose for which it was shared.
**Security:**
Ensure that the recording is stored and shared securely, preventing unauthorized access or disclosure.
**Retention:**
The recording should be kept for no longer than necessary for the stated purpose and then deleted appropriately.
Practical Implications:
**Internal Sharing:**
Sharing with internal employees who need to know the information (e.g., supervisors, team members) for legitimate business reasons is generally permissible, provided they have a legitimate need to access the recording.
**External Sharing:**
Sharing with external individuals (e.g., clients, partners) may be problematic under GDPR unless they have explicitly consented to be recorded and the recording is shared for a legitimate purpose.