Zoom in Breach of GDPR According to Hamburg Data Protection Body

A decision has been taken by the acting Hamburg Commissioner for Data Protection and Freedom of Information, due to the European Court of Justice Schrems II decision of July 2020,  that anyone who is employed by or working with the city’s Senate Chancellery should be be using the on-demand version of Zoom’s video conferencing solution.

This is due to the fact that doing so could, potentially, be a breach of the European Union’s General Data Protection Regulation (GDPR). 

Zoom has reacted to this ruling by issuing a press release titled ‘European Data Protection Specific Information’ which says: “Where personal data of users in the EEA, Switzerland, or the UK is being transferred to a recipient located in a country outside the EEA, Switzerland, or the UK which has not been recognized as having an adequate level of data protection, we ensure that the transfer is governed by the European Commission’s standard contractual clauses.”

This was after Acting Hamburg Commissioner for Data Protection and Freedom of Information Commissioner, Ulrich Kühn, said that he is of the opinion that the software “is associated with the transmission of personal data to the US”.

He added that “a data transfer is therefore only possible under very strict conditions, which are not available when the Senate Chancellery is planning to use Zoom.”

In an interview with online news outlet The Register, Neil Brown director at an English law firm said that the decision made by Kühn appears to be saying that Zoom “does not ensure a level of protection for personal data which is ‘essentially equivalent’ to that afforded by the GDPR” and that “many businesses used to address the international transfers aspect of the GDPR by incorporating the model contract clauses/SCCs into their contracts with organisations in non-adequate jurisdictions.

He added: “In Schrems II, the CJEU said that these were not, in themselves, sufficient, and that a transferring controller must do a comprehensive risk assessment, and put appropriate additional measures in place to ensure ‘essentially equivalent’ protection. And that came as a shock to a lot of people, since it rather suggested that the model clauses were not fit for purpose. And, lo and behold, there is a new European set, which is a heck of a lot more complicated.”

Zoom also commented that its products feature “an explicit consent mechanism for EU users” on its platform and that it has implemented “zero-load” cookies for users whose IP address show they are accessing the site from a EU member state.




About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas should has data protection and innovations such as telehealth.