Hamburg DPA warns Zoom incompatible with GDPR

One of Germany’s staunchest data regulators has warned local government departments to stop using Zoom because it believes the videoconferencing app is incompatible with the General Data Protection Regulation (GDPR).

In a statement Monday, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) formally warned the city’s Senate Chancellery against using the on-demand version of Zoom’s videoconferencing software because the company transfers users’ data to the United States for processing.

Under the terms of the GDPR, the personal data of EU citizens can only be transferred to a third country if that country provides a similar level of protection to the European Union. The United States does not meet that threshold due to the strength of the country’s surveillance laws and the scrapping of the EU-U.S. Privacy Shield in July 2020.

The HmbBfDI said documents submitted by the Senate Chancellery on the use of Zoom showed GDPR standards were not being adhered to. The local government body neither stopped using Zoom, nor provided any additional documents to prove compliance with the GDPR after the data protection authority’s first warning in June. This forced the regulator to issue a public warning.

The HmbBfDI added a data transfer with the United States is only possible under very strict conditions, which are not available when Zoom is used for videoconferencing.

Ulrich Kühn, the acting Hamburg commissioner for data protection and freedom of information, said in a statement: “Public bodies are particularly bound to comply with the law. It is therefore more than regrettable that such a formal step had to be taken.”

Kühn added a local alternative videoconferencing system provided by the German firm Dataport is readily available and already used by a number of local, regional, and state government bodies.

“It is therefore incomprehensible why the Senate Chancellery insists on an additional and legally highly problematic system,” said Kühn.

Zoom, launched in 2013, has seen its popularity surge because of the pandemic and remote working, but concerns about data privacy and security persist. Late last month, the company preliminarily agreed to settle a class-action privacy lawsuit in the United States for $85 million.

In an emailed statement, Zoom said: “We are proud to work with the City of Hamburg and many other leading German organizations, businesses, and education institutions. … Zoom is committed to complying with all applicable privacy laws, rules, and regulations in the jurisdictions within which it operates, including the GDPR.”

This is not the first time EU data regulators have expressed concerns about the widespread use of U.S.-based technologies for work purposes and their impact on respecting the bloc’s strict privacy laws.

In May, the European Data Protection Supervisor launched investigations into whether EU institutions’ use of cloud-based services by Amazon and Microsoft violates the GDPR because of unsafe data transfers. Also being examined is whether the European Commission’s use of Microsoft Office 365 produces similar risks.

More widely, several EU data protection authorities are investigating whether U.S.-based networking apps—including WhatsApp and Clubhouse—are GDPR compliant.

Since the Privacy Shield’s demise, the European Union had hoped to confirm a replacement mechanism quickly, but differences of opinion with U.S. counterparts about what constitutes “data privacy,” as well as a reluctance by the United States to modify or scrap national laws that allow access to personal data for security reasons, has slowed progress.

In the meantime, the European Union has attempted to beef up standard contractual clauses (SCCs) as a way of making data transfers to third countries safer, although they do not offer full protection.

Companies exporting data still need to assess the risks around data transfers, use additional measures to ensure data protection, consider what kind of personal data is being transferred (and for what purpose), and assess how the legislation and practices in the third country might impact the level of data protection.


By Neil Hodge, Aug 19, 2021