IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Zoom is no longer compatible with GDPR, Hamburg data watchdog claims

Regulator claims city officials are using a "legally highly problematic system"

A German data protection commissioner has officially warned Hamburg's Senate Chancellery to avoid using Zoom as it is no longer compatible with GDPR.

Hamburg's acting Commissioner for Data Protection and Freedom of Information, Ulrich Kühn, said in a press release that the on-demand version of the video conferencing platform does not meet the legislation's criteria when it comes to data transfers.

He cites the European Court of Justice's (CJEU) Schrems II decision, announced in July 2020, which invalidated the EU-US data transfer mechanism known as Privacy Shield and required alternative mechanisms to be more rigorous.

"All employees have access to a tried and tested video conference tool that is unproblematic with regard to third-country transmission," Kühn wrote. "As the central service provider, Dataport also provides additional video conference systems in its own data centres. These are used successfully in other countries [sic] such as Schleswig-Holstein. It is therefore incomprehensible why the Senate Chancellery insists on an additional and legally highly problematic system."

The issue appears to relate to a dispute over the way Zoom has used standard contractual clauses (SCCs) to justify its data transfers. On it's website, Zoom says its services feature "an explicit consent mechanism for EU users" on its platform and that the firm has implemented "zero-load" cookies for users whose IP address show they are visiting the site from an EU member state. Specifically, the firm states: "we ensure that the transfer is governed by the European Commission's standard contractual clauses (SCC)".

However, following the Schrems II decision in July 2020, companies are now required to perform additional steps to justify their use of SCCs, including performing additional risk assessments - something that Zoom appears not to have done.

Neil Brown, the director of virtual English law firm, told The Register that the press release was "somewhat oblique" but suggested that the Hamburg Data Protection Authority considers that Zoom does not ensure a level of protection for personal data which is "essentially equivalent" to that afforded by the GDPR.

Related Resource

The technology of trust

How to protect your most valuable commodity

The technology of trust- whitepaper from OktaDownload now

"Many businesses used to address the international transfers aspect of the GDPR by incorporating the model contract clauses/SCCs into their contracts with organisations in non-adequate jurisdictions," Brown told The Register. "In Schrems II, the CJEU said that these were not, in themselves, sufficient, and that a transferring controller must do a comprehensive risk assessment, and put appropriate additional measures in place to ensure 'essentially equivalent' protection.

"And that came as a shock to a lot of people, since it rather suggested that the model clauses were not fit for purpose. And, lo and behold, there is a new European set, which is a heck of a lot more complicated."

In a statement, Zoom said it was proud to work with the City of Hamburg and many other leading German organisations, businesses and education institutions.

"The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us,"  the firm said. "Zoom is committed to complying with all applicable privacy laws, rules, and regulations in the jurisdictions within which it operates, including the GDPR."

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Most Popular

Why convenience is the biggest threat to your security

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Microsoft successfully tests emission-free hydrogen fuel cell system for data centres
data centres

Microsoft successfully tests emission-free hydrogen fuel cell system for data centres

29 Jul 2022