Zoom incompatible with GDPR, claims data protection watchdog for the German city of Hamburg

Takes aim at US videoconferencing software as tech world+dog calls lawyer for a quick chat

The acting Hamburg Commissioner for Data Protection and Freedom of Information has officially warned the city's Senate Chancellery not to use the on-demand version of Zoom's videoconferencing software.

Referring to the European Court of Justice Schrems II decision of July 2020, Ulrich Kühn claimed the software violates the EU General Data Protection Directive (GDPR) as "such use is associated with the transmission of personal data to the US."

Kühn stated bluntly:

“A data transfer is therefore only possible under very strict conditions, which are not available when the Senate Chancellery is planning to use Zoom.”

Dr Gabriela Zanfir-Fortuna, Future of Privacy Forum director, publicly speculated this morning that Zoom had relied "on SCCs, but with insufficient supplemental measures," opining: "A pattern emerges showing public offices, gov agencies & their US-based service providers as the immediate target of Schrems II enforcement... It's going to be a busy fall, folks."

Neil Brown, director at tech-savvy virtual English law firm decoded.legal, told The Register he interpreted the "somewhat oblique" press release to mean the Hamburg DPA considers that Zoom "does not ensure a level of protection for personal data which is 'essentially equivalent' to that afforded by the GDPR."

Brown added: "Many businesses used to address the international transfers aspect of the GDPR by incorporating the model contract clauses/SCCs into their contracts with organisations in non-adequate jurisdictions.

"In Schrems II, the CJEU said that these were not, in themselves, sufficient, and that a transferring controller must do a comprehensive risk assessment, and put appropriate additional measures in place to ensure 'essentially equivalent' protection.

"And that came as a shock to a lot of people, since it rather suggested that the model clauses were not fit for purpose. And, lo and behold, there is a new European set, which is a heck of a lot more complicated."

Kühn's pronouncement further in the warning (via Google Translate) that the Senate Chancellery had been "unwilling to respond to ... repeated concerns" and had missed deadlines to submit documents and arguments also caught the eye. Brown told The Reg this suggested that the "warning stemmed, at least in part, from a seeming lack of cooperation" by the Senate Chancellery, speculating this might have to do with "political infighting."

As for the larger implications of the Schrems II ruling, including the fresh SCCs, Brown commented that it was: "Good news for lawyers, for self-hosted solutions, and for service providers which do not need to transfer personal data to non-adequate jurisdictions. Less good news for anyone facing a pile of new paperwork and lawyers' bills."

Zoom has said its products feature "an explicit consent mechanism for EU users" on its platform and that it has implemented "zero-load" cookies for users whose IP address show they are accessing the site from a EU member state.

Under the heading "European Data Protection Specific Information," Zoom has said:

“Where personal data of users in the EEA, Switzerland, or the UK is being transferred to a recipient located in a country outside the EEA, Switzerland, or the UK which has not been recognized as having an adequate level of data protection, we ensure that the transfer is governed by the European Commission's standard contractual clauses.”

We have asked the firm for clarification. The page was last updated on 4 June 2021 – the same day the European Commission published its final Implementing Decision adopting several new standard contractual clauses for the transfer of personal data to third countries. The new SCCs – serving orgs making data transfers to and from the EU and covering both the European processor and the US controller – were responses to deficiencies in previous SCCs brought to light in the Schrems II ruling. The fact that the update happened on the same day might lead an onlooker to assume the fresh SCCs were implemented... which leads to more questions.

Mind the Brexit gap

The UK's Information Commissioner is currently working on its own draft international data transfer agreement. The regulator also recently moved to draft a UK-specific contractual addendum so that the county will be able bolt on those new EU standard contractual clauses on the international transfer of personal data to allow use of the European Commission's new SCCs in a UK context. After all, Brexit meant Brexit.

In the background is the report from the Taskforce on Innovation, Growth and Regulatory Reform (TIGRR), characterised by a Reg colleague as "a Brexit goon-squad of Tory MPs" which has taken aim at Article 5 of GDPR, which states among other things that data should be "collected for specified, explicit and legitimate purposes" and be "adequate, relevant and limited to what is necessary." The report moaned that this limited "AI organisations from collecting new data before they understand its potential value and they also mean that existing data cannot be reused for novel purposes."

The Commission formally announced its adoption of adequacy decisions for the UK [PDF] on 28 June, which would have been a relief to many businesses in the country relying on EU data flows. However, as critics have pointed out, the adequacy designation may not necessarily stand should a determined effort be made to divert UK legislation too far from the protections afforded to citizens of the EU.

Zoom has been in touch to say: "Zoom is proud to work with the City of Hamburg and many other leading German organizations, businesses and education institutions. The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us. Zoom is committed to complying with all applicable privacy laws, rules, and regulations in the jurisdictions within which it operates, including the GDPR."


By Jude Karabus, The Register, 17 August 2021