Germany’s Hamburg privacy watchdog has warned the city’s state government that its use of Zoom’s on-demand video-conferencing product violates the EU’s privacy laws.
The official warning came from Ulrich Kühn, acting Hamburg commissioner for Data Protection and Freedom of Information (HmbBfDI), concerning the Hamburg state government’s use of Zoom — and specifically, the transmission of data to the US. That transmission, said Kühn, violated the EU’s General Data Protection Regulation (GDPR).
The warning was aimed at Hamburg’s state government, the Senate Chancellery of the Free and Hanseatic City of Hamburg (FHH).
Kühn said its use of Zoom violated GDPR in light of the July 2020 ‘Schrems II’ ruling by the European Court of Justice (CJEU), which invalidated EU-US Privacy Shield arrangement for transatlantic data transfers.
The Schrems II ruling was the second CJEU decision based on complaints from Austrian lawyer Max Schrems about EU-US data sharing following revelations about US mass surveillance by ex-NSA contractor Edward Snowden in 2013.
Schrems’ first complaint forced the EU to ditch the previous EU-US Safe Harbor agreement in 2015. But the US hasn’t changed its surveillance laws, such as the Foreign Intelligence Surveillance Act and the Clarifying Lawful Overseas Use of Data (CLOUD) Act, meaning that European data was not protected in the US to an equivalent level required under European law.
“A data transfer is therefore only possible under very strict conditions that are not available when the Senate Chancellery is planning to use Zoom,” HmbBfDI said in a statement.
Kühn said the government should use a video-conferencing system from a legally “unproblematic” German IT provider that operates from local data centres.
“In the FHH, all employees have access to a tried and tested video conference tool that is unproblematic with regard to third-country transmission. As the central service provider, Dataport also provides additional video conference systems in its own data centers.” (Google Translate)
“It is therefore incomprehensible why the Senate Chancellery insists on an additional and legally highly problematic system.”
A Zoom spokesperson said its video-meeting service for the City of Hamburg and other German organizations complied with EU privacy laws.
“The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us. Zoom is committed to complying with all applicable privacy laws, rules, and regulations in the jurisdictions within which it operates, including the GDPR,” the spokesperson said.
Zoom’s paper about data transfers from Europe to the US states that it will sign Standard Contractual Clauses (SCCs) with EU customers, and that it takes “additional safeguards” to protect data to an equivalent level as Europe’s data protection laws.
Uncertainty over Schrems II and Privacy Shield affects most major US tech firms. In May, Europe’s collective of national data protection authorities, EDPR, kicked off an investigation into whether Microsoft’s and Amazon’s cloud SCCs are valid under GDPR.
Also in May, Microsoft announced a plan to allow EU organizations to store data in its European data centres by the end of 2022. Microsoft’s EU Data Boundary program includes extra “steps to minimize transfers of both Customer Data and Personal Data outside of the EU”.