Zoom is no longer compatible with GDPR, Hamburg data watchdog claims

Regulator claims city officials are using a "legally highly problematic system"

A German data protection commissioner has officially warned Hamburg's Senate Chancellery to avoid using Zoom as it is no longer compatible with GDPR.

Hamburg's acting Commissioner for Data Protection and Freedom of Information, Ulrich Kühn, said in a press release that the on-demand version of the video conferencing platform does not meet the legislation's criteria when it comes to data transfers.

He cites the European Court of Justice's (CJEU) Schrems II decision, announced in July 2020, which invalidated the EU-US data transfer mechanism known as Privacy Shield and required alternative mechanisms to be more rigorous.

"All employees have access to a tried and tested video conference tool that is unproblematic with regard to third-country transmission," Kühn wrote. "As the central service provider, Dataport also provides additional video conference systems in its own data centres. These are used successfully in other countries [sic] such as Schleswig-Holstein. It is therefore incomprehensible why the Senate Chancellery insists on an additional and legally highly problematic system."

The issue appears to relate to a dispute over the way Zoom has used standard contractual clauses (SCCs) to justify its data transfers. On it's website, Zoom says its services feature "an explicit consent mechanism for EU users" on its platform and that the firm has implemented "zero-load" cookies for users whose IP address show they are visiting the site from an EU member state. Specifically, the firm states: "we ensure that the transfer is governed by the European Commission's standard contractual clauses (SCC)".

However, following the Schrems II decision in July 2020, companies are now required to perform additional steps to justify their use of SCCs, including performing additional risk assessments - something that Zoom appears not to have done.

Neil Brown, the director of virtual English law firm decoded.legal, told The Register that the press release was "somewhat oblique" but suggested that the Hamburg Data Protection Authority considers that Zoom does not ensure a level of protection for personal data which is "essentially equivalent" to that afforded by the GDPR.

Related Resource

The technology of trust

How to protect your most valuable commodity

The technology of trust- whitepaper from OktaDownload now

"Many businesses used to address the international transfers aspect of the GDPR by incorporating the model contract clauses/SCCs into their contracts with organisations in non-adequate jurisdictions," Brown told The Register. "In Schrems II, the CJEU said that these were not, in themselves, sufficient, and that a transferring controller must do a comprehensive risk assessment, and put appropriate additional measures in place to ensure 'essentially equivalent' protection.

"And that came as a shock to a lot of people, since it rather suggested that the model clauses were not fit for purpose. And, lo and behold, there is a new European set, which is a heck of a lot more complicated."

In a statement, Zoom said it was proud to work with the City of Hamburg and many other leading German organisations, businesses and education institutions.

"The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us,"  the firm said. "Zoom is committed to complying with all applicable privacy laws, rules, and regulations in the jurisdictions within which it operates, including the GDPR."

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Senator reintroduces federal data protection bill
data protection

Senator reintroduces federal data protection bill

17 Jun 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021