Skip to main content

Zoom may no longer be GDPR-compatible

video conferencing
(Image credit: Image Credit: Photographee.eu / Shutterstock)

A German data watchdog has warned public sector organizations against using the on-demand version of hugely popular video conferencing tool Zoom, which it says is no longer compatible with the General Data Protection Regulation (GDPR).

Hamburg's acting Commissioner for Data Protection and Freedom of Information, Ulrich Kühn warned the city's Senate Chancellery that Zoom (the on-demand variant) doesn’t meet the EU’s criteria when it comes to data transfers.

In the announcement, he referred to the European Court of Justice’s Schrems II decision from July 2020, which ruled that the EU-US agreement on data transfers, called the Data Protection Shield, is invalid due to concerns over US state and law enforcement agencies using it for surveillance.

“In the FHH (City of Hamburg), all employees have access to a tried and tested video conference tool that is unproblematic with regard to third-country transmission,” a translation of the announcement reads. “As the central service provider, Dataport also provides additional video conference systems in its own data centers. These are used successfully in other countries such as Schleswig-Holstein. It is therefore incomprehensible why the Senate Chancellery insists on an additional and legally highly problematic system. "

Further explaining the problem, IT Pro says the issue lies in the way Zoom uses standard contractual clauses (SCC) to justify its data transfers. Zoom claims it requires "an explicit consent mechanism for EU users" and has "zero-load" cookies for users coming from an EU member state. 

“We ensure that the transfer is governed by the European Commission's standard contractual clauses (SCC)," the company claims.

But after the Schrems II ruling, businesses need to take further steps to justify their use of SCCs, which is something, the watchdog believes, Zoom has not done.

Zoom responded to the accusations with a classic PR statement that its top priorities are privacy and security of its users, and that it’s “committed to complying with all applicable privacy laws”.