Hamburg regulator warns government against using Zoom
The privacy watchdog says Zoom's software violates the GDPR
The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) has formally warned the city's Senate Chancellery against using the on-demand version of Zoom's videoconferencing software.
The watchdog said said Zoom's software violates the EU's GDPR privacy regulation, as the company transfers users' data to the United States for processing.
The warning follows the landmark Schrems II ruling by the EU Court of Justice in July 2020, in which the Court told privacy regulators to suspend data transfers via standard contractual clauses (SCCs) outside the EU, if data protection in other countries could not be assured.
The court invalidated the four-year-old Privacy Shield agreement between the EU and the USA, on the grounds that it had failed to adequately protect European users' data from US surveillance.
The Court said that US laws did not match the strict data protection requirements established by the GDPR, meaning that European citizens' personal data cannot be safely processed in the US without additional safeguards.
In the Hamburg case, HmbBfDI said the documents submitted by the Senate Chancellery on the use of Zoom showed that GDPR standards were not being adhered to.
The Senate Chancellery neither stopped using Zoom, nor provided any additional documents to prove compliance usage, after the data protection agency's first warning.
This forced HmbBfDI to issue a public warning.
The privacy regulator added that a data transfer with the US is only possible under very strict conditions, which are not available when Zoom is used for video conferencing.
"Public bodies are particularly bound to comply with the law. It is therefore more than regrettable that such a formal step had to be taken," Ulrich Kühn, the acting Hamburg commissioner for data protection and freedom of information, said in a press release.
Kühn added that a local, alternative video conferencing system provided by the German firm Dataport is readily available.
Dataport supplies software to a number of local, regional and state government bodies.
Zoom was launched in 2013, but its popularity grew rapidly last year when the pandemic forced people to stay at and work from home. The surge in its user base also brought huge pressure for the company, which struggled to deal with security issues.
Earlier this month, Zoom agreed to settle a class action privacy lawsuit in the USA for $86 million (£61.8 million). The lawsuit, filed last year, alleged that Zoom had breached millions of users' privacy by sharing their personal data with Facebook, LinkedIn and Google.
It also accused the company of failing to prevent threat actors from disrupting Zoom meetings, and misguiding users by claiming that it offered end-to-end encryption.
The lawsuit was filed on behalf of Zoom Meetings' paid subscribers and free users, seeking damages under California's Consumer Privacy Act.