Hamburg Data Protection Agency Deems Zoom in Breach of GDPR

Referring to the European Court of Justice Schrems II decision of July 2020, the acting Hamburg Commissioner for Data Protection and Freedom of Information informed those working with the city’s Senate Chancellery that the on-demand version of Zoom’s video conferencing software should not be used as it may be in breach of the European Union’s General Data Protection Regulation (GDPR)

The Commissioner, Ulrich Kühn, made this claim as he believes that the software “is associated with the transmission of personal data to the US.” He added, in relation to this issue, that: “A data transfer is therefore only possible under very strict conditions, which are not available when the Senate Chancellery is planning to use Zoom.”

Zoom has responded to the ruling with a release titled ‘European Data Protection Specific Information’ stating: “Where personal data of users in the EEA, Switzerland, or the UK is being transferred to a recipient located in a country outside the EEA, Switzerland, or the UK which has not been recognized as having an adequate level of data protection, we ensure that the transfer is governed by the European Commission’s standard contractual clauses.”

Zoom also commented that its products feature “an explicit consent mechanism for EU users” on its platform and that it has implemented “zero-load” cookies for users whose IP address show they are accessing the site from a EU member state.

Speaking to online news outlet The Register, Neil Brown director at an English law firm said that the Hamburg DPA appear to be ruling that Zoom “does not ensure a level of protection for personal data which is ‘essentially equivalent’ to that afforded by the GDPR” and that “many businesses used to address the international transfers aspect of the GDPR by incorporating the model contract clauses/SCCs into their contracts with organisations in non-adequate jurisdictions.

He added: “In Schrems II, the CJEU said that these were not, in themselves, sufficient, and that a transferring controller must do a comprehensive risk assessment, and put appropriate additional measures in place to ensure ‘essentially equivalent’ protection. And that came as a shock to a lot of people, since it rather suggested that the model clauses were not fit for purpose. And, lo and behold, there is a new European set, which is a heck of a lot more complicated.”






Author: Security News