The acting Hamburg Commissioner for Data Protection and Freedom of Information has officially warned the city’s Senate Chancellery not to use the on-demand version of Zoom’s videoconferencing software.
Referring to the European Court of Justice Schrems II decision of July 2020, Ulrich Kühn claimed the software violates the EU General Data Protection Directive (GDPR) as “such use is associated with the transmission of personal data to the US.”
Kühn stated bluntly:
Zoom has said its products feature “an explicit consent mechanism for EU users” on its platform and that it has implemented “zero-load” cookies for users whose IP address show they are accessing the site from a EU member state.
Under the heading “European Data Protection Specific Information,” Zoom has said:
We have asked the firm for clarification. The page was last updated on 4 June 2021 – the same day the European Commission published its final Implementing Decision adopting several new standard contractual clauses for the transfer of personal data to third countries. The new SCCs – serving orgs making data transfers to and from the EU and covering both the European processor and the US controller – were responses to deficiencies in previous SCCs brought to light in the Schrems II ruling.
Dr Gabriela Zanfir-Fortuna, Future of Privacy Forum director, publicly speculated this morning that Zoom had relied “on SCCs, but with insufficient supplemental measures,” opining: “A pattern emerges showing public offices, gov agencies & their US-based service providers as the immediate target of Schrems II enforcement… It’s going to be a busy fall, folks.”
Neil Brown, director at tech-savvy virtual English law firm decoded.legal, told The Register he interpreted the “somewhat oblique” press release to mean the Hamburg DPA considers that Zoom “does not ensure a level of protection for personal data which is ‘essentially equivalent’ to that afforded by the GDPR.”
Brown added: “Many businesses used to address the international transfers aspect of the GDPR by incorporating the model contract clauses/SCCs into their contracts with organisations in non-adequate jurisdictions.
“In Schrems II, the CJEU said that these were not, in themselves, sufficient, and that a transferring controller must do a comprehensive risk assessment, and put appropriate additional measures in place to ensure ‘essentially equivalent’ protection.
“And that came as a shock to a lot of people, since it rather suggested that the model clauses were not fit for purpose. And, lo and behold, there is a new European set, which is a heck of a lot more complicated.”
Kühn’s pronouncement further in the warning (via Google Translate) that the Senate Chancellery had been “unwilling to respond to … repeated concerns” and had missed deadlines to submit documents and arguments also caught the eye. Brown told The Reg this suggested that the “warning stemmed, at least in part, from a seeming lack of cooperation” by the Senate Chancellery, speculating this might have to do with “political infighting.”
As for the larger implications of the Schrems II ruling, including the fresh SCCs, Brown commented that it was: “Good news for lawyers, for self-hosted solutions, and for service providers which do not need to transfer personal data to non-adequate jurisdictions. Less good news for anyone facing a pile of new paperwork and lawyers’ bills.”
The UK’s Information Commissioner is currently working on its own draft international data transfer agreement. The regulator also recently moved to draft a UK-specific contractual addendum so that the county will be able bolt on those new EU standard contractual clauses on the international transfer of personal data to allow use of the European Commission’s new SCCs in a UK context. Brexit meant Brexit.
In the background is the report from the Taskforce on Innovation, Growth and Regulatory Reform (TIGRR), characterised by a Reg colleague as “a Brexit goon-squad of Tory MPs” which has taken aim at Article 5 of GDPR, which states among other things that data should be “collected for specified, explicit and legitimate purposes” and be “adequate, relevant and limited to what is necessary.” The report moaned that this limited “AI organisations from collecting new data before they understand its potential value and they also mean that existing data cannot be reused for novel purposes.”
The Commission formally announced its adoption of adequacy decisions for the UK [PDF] on 28 June, which would have been a relief to many businesses in the country relying on EU data flows. However, as critics have pointed out, the adequacy designation may not necessarily stand should a determined effort be made to divert UK legislation too far from the protections afforded to citizens of the EU.
We have asked Zoom for comment. ®