A German data protection commissioner (DPC) has officially warned Hamburg’s Senate Chancellery to avoid using Zoom as it is incompatible with the General Data Protection Regulation (GDPR).
In a press release, Ulrich Kuhn, Hamburg’s acting Commissioner for Data Protection and Freedom of Information, said that Zoom does not meet the legislation’s data transfer rules.
Kuhn wrote, “All employees have access to a tried and tested video conference tool that is unproblematic with regard to third-country transmission. As the central service provider, Dataport also provides additional video conference systems in its own data centres. These are used successfully in other countries such as Schleswig-Holstein. It is therefore incomprehensible why the Senate Chancellery insists on an additional and legally highly problematic system.”
Schrems II and Zoom
The European Court of Justice’s Schrems II decision invalidated the data transfer mechanism between the European Union and the United States, known as the Privacy Shield. For data sharing mechanisms with non-adequate jurisdictions, it effectively rendered the use of Standard Contractual Clauses (SCCs) as the sole basis for data transfers insufficient. Consequently, companies in non-EU countries must take additional steps to justify their use and perform additional risk assessments.
On the other hand, Zoom only uses standard contractual clauses to justify data transfer, IT Pro reported. On its website, Zoom says its services feature “an explicit consent mechanism for EU users. It further says that it has implemented zero-load cookies for users whose IP addresses show they are from an EU member state. However, the DPC perhaps does not consider these to be “essentially equivalent” to the protections that the GDPR guarantees, making the data transfers illegal.
Responding to the press release, Zoom said:
“The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us. Zoom is committed to complying with all applicable privacy laws, rules, and regulations in the jurisdictions within which it operates, including the GDPR.”