Zoom is no longer compatible with GDPR, Hamburg data watchdog claims

A German data protection commissioner has officially warned Hamburg's Senate Chancellery to avoid using Zoom as it is no longer compatible with GDPR.

Hamburg's acting Commissioner for Data Protection and Freedom of Information, Ulrich Kühn, said in a press release that the on-demand version of the video conferencing platform does not meet the legislation's criteria when it comes to data transfers.

He cites the European Court of Justice's (CJEU) Schrems II decision, announced in July 2020, which invalidated the EU-US data transfer mechanism known as Privacy Shield and required alternative mechanisms to be more rigorous.

"All employees have access to a tried and tested video conference tool that is unproblematic with regard to third-country transmission," Kühn wrote. "As the central service provider, Dataport also provides additional video conference systems in its own data centres. These are used successfully in other countries [sic] such as Schleswig-Holstein. It is therefore incomprehensible why the Senate Chancellery insists on an additional and legally highly problematic system."

The issue appears to relate to a dispute over the way Zoom has used standard contractual clauses (SCCs) to justify its data transfers. On it's website, Zoom says its services feature "an explicit consent mechanism for EU users" on its platform and that the firm has implemented "zero-load" cookies for users whose IP address show they are visiting the site from an EU member state. Specifically, the firm states: "we ensure that the transfer is governed by the European Commission's standard contractual clauses (SCC)".

However, following the Schrems II decision in July 2020, companies are now required to perform additional steps to justify their use of SCCs, including performing additional risk assessments - something that Zoom appears not to have done.

Neil Brown, the director of virtual English law firm decoded.legal, told The Register that the press release was "somewhat oblique" but suggested that the Hamburg Data Protection Authority considers that Zoom does not ensure a level of protection for personal data which is "essentially equivalent" to that afforded by the GDPR.

"Many businesses used to address the international transfers aspect of the GDPR by incorporating the model contract clauses/SCCs into their contracts with organisations in non-adequate jurisdictions," Brown told The Register. "In Schrems II, the CJEU said that these were not, in themselves, sufficient, and that a transferring controller must do a comprehensive risk assessment, and put appropriate additional measures in place to ensure 'essentially equivalent' protection.

"And that came as a shock to a lot of people, since it rather suggested that the model clauses were not fit for purpose. And, lo and behold, there is a new European set, which is a heck of a lot more complicated."

In a statement, Zoom said it was proud to work with the City of Hamburg and many other leading German organisations, businesses and education institutions.

"The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us," the firm said. "Zoom is committed to complying with all applicable privacy laws, rules, and regulations in the jurisdictions within which it operates, including the GDPR."