Hamburg DPA Warns Against Zoom Use - Data Privacy Concerns

Data Protection Warning Issued to Hamburg Government Regarding Zoom Usage

The government of Hamburg, Germany, has received an official warning concerning the utilization of Zoom due to potential breaches of data protection regulations.

GDPR Violation Concerns

Yesterday, the German state’s Data Protection Agency (DPA) publicly cautioned that the Senate Chancellory’s continued reliance on the widely-used videoconferencing platform infringes upon the stipulations of the European Union’s General Data Protection Regulation (GDPR). This is attributed to the transfer of user data to the United States for processing purposes.

The Schrems II Ruling and its Impact

This action by the DPA stems from a significant legal decision, known as Schrems II, delivered by Europe’s highest court last summer. The ruling invalidated the Privacy Shield framework – a key data transfer agreement between the EU and the U.S. – after determining that U.S. surveillance legislation is incompatible with EU privacy rights.

The repercussions of Schrems II have unfolded gradually, initially creating widespread legal ambiguity. However, numerous European DPAs are now scrutinizing the use of digital services based in the U.S. due to these data transfer issues.

Increased Scrutiny of U.S.-Based Services

Consequently, public warnings have been issued against employing popular U.S. platforms like Facebook and Zoom, as user data cannot be sufficiently protected when transmitted across international borders.

German authorities have been particularly proactive in this area. Simultaneously, the EU’s data protection supervisor is conducting an investigation into the bloc’s utilization of cloud services provided by U.S. technology companies Amazon and Microsoft, citing the same data transfer concerns.

Ongoing Negotiations and the Search for Alternatives

Discussions between the European Commission and the Biden administration are currently underway to establish a new data transfer agreement. However, EU legislators have consistently cautioned against a hasty resolution, emphasizing that reforms to U.S. surveillance laws are likely necessary before a revised Privacy Shield can be implemented.

As this legal uncertainty persists, an increasing number of public sector organizations within Europe are facing pressure to abandon U.S.-based services in favor of compliant, locally-hosted alternatives.

Hamburg's Specific Case

In the specific instance of Hamburg, the DPA issued a public warning to the Senate Chancellory after receiving an insufficient response to previously raised concerns.

The agency maintains that the public body’s use of Zoom fails to meet the GDPR’s requirement for a legitimate legal basis for processing personal data. The DPA stated that submitted documentation demonstrates a failure to adhere to GDPR standards.

Formal Procedure and Lack of Compliance

A formal procedure was initiated on June 17, 2021, through a hearing. However, the Senate Chancellory did not cease using the videoconferencing tool, nor did it present any further documentation or arguments to demonstrate compliant usage.

This led to the DPA issuing a formal warning, as outlined in Article 58 (2) (a) of the GDPR.

Call for Local Solutions

Ulrich Kühn, the acting Hamburg commissioner for data protection and freedom of information, expressed his disbelief that the regional body continues to disregard EU law to utilize Zoom.

He highlighted the availability of a local alternative provided by Dataport, a German company that supplies software to numerous state, regional, and local government entities.

Kühn stated that public bodies are especially obligated to uphold the law, and that the formal warning was regrettable. He pointed out that all employees within the Senate Chancellory have access to a secure video conferencing tool, and that Dataport offers additional systems within its own data centers, successfully used in regions like Schleswig-Holstein.

Further Updates

We have contacted both the Hamburg DPA and the Senate Chancellory for further clarification.

Update: A spokesperson for the Hamburg DPA indicated that no further formal actions are currently planned. They anticipate the administration will evaluate their legal reasoning and take appropriate measures.

The DPA remains open to further discussions to explore potential solutions, as a formal warning serves to alert the controller to potential issues.

Zoom has also been approached for a statement.

Update: A representative from Zoom has provided a response.