A German data protection commissioner has issued a formal warning to Hamburg’s Senate Chancellery, stating that Zoom is no longer GDPR compliant.
Ulrich Kühn, Hamburg’s acting Commissioner for Data Protection and Freedom of Information, said in a news statement that the video conferencing platform’s on-demand version does not match the legislation’s data transmission criteria.
He cites the European Court of Justice’s (CJEU) Schrems II ruling, which invalidated the EU-US data transfer framework known as Privacy Shield and mandated more robust alternative mechanisms.
“All employees have access to a tried and tested video conference tool that is unproblematic with regard to third-country transmission,” Kühn wrote. “As the central service provider, Dataport also provides additional video conference systems in its own data centres. These are used successfully in other countries such as Schleswig-Holstein. It is therefore incomprehensible why the Senate Chancellery insists on an additional and legally highly problematic system.”
The problem appears to be related to a disagreement regarding Zoom’s use of standard contractual clauses (SCCs) to legitimise data transfers. Zoom claims on its website that its services include a “explicit consent mechanism for EU users” on its platform, as well as “zero-load” cookies for visitors whose IP addresses indicate they are visiting from an EU member state. “We ensure that the transfer is governed by the European Commission’s standard contractual clauses (SCC),” the firm says.
However, as a result of the Schrems II decision in July 2020, companies must now take additional steps to justify their use of SCCs, including conducting additional risk assessments, which Zoom does not appear to have done.
The press release was “somewhat oblique,” according to Neil Brown, director of virtual English law firm decoded.legal, but it suggested that the Hamburg Data Protection Authority believes Zoom does not provide a level of personal data protection that is “essentially equivalent” to that provided by the GDPR.
“Many businesses used to address the international transfers aspect of the GDPR by incorporating the model contract clauses/SCCs into their contracts with organisations in non-adequate jurisdictions,” Brown told The Register. “In Schrems II, the CJEU said that these were not, in themselves, sufficient, and that a transferring controller must do a comprehensive risk assessment, and put appropriate additional measures in place to ensure ‘essentially equivalent’ protection.
“And that came as a shock to a lot of people, since it rather suggested that the model clauses were not fit for purpose. And, lo and behold, there is a new European set, which is a heck of a lot more complicated.”
Zoom said it was proud to partner with the City of Hamburg as well as many other important German organisations, corporations, and educational institutions in a statement.
“The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us,” the firm said. “Zoom is committed to complying with all applicable privacy laws, rules, and regulations in the jurisdictions within which it operates, including the GDPR.”