Hamburg’s privacy watchdog has issued an official warning to public authorities on using Zoom, advancing a strict interpretation of international data transfers under the EU’s data regime.
The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) officially warned the Senate Chancellery of the Free and Hanseatic City of Hamburg (FHH) from using the video conference service Zoom on Monday (16 August). It argued that the communication service violates the general data protection regulation (GDPR), the EU data protection framework, as it transfers personal data to the United States. The EU Court of Justice has deemed that the US does not provide adequate data protection safeguards in its recent Schrems II ruling.
“Public bodies are particularly bound to comply with the law. It is, therefore, more than regrettable that such a formal step had to be taken. In the FHH, all employees have access to a tried and tested video conference tool that is unproblematic with regard to third-country transmission,” said Ulrich Kühn, the acting Hamburg commissioner for data protection and freedom of information.
According to Kühn, the Senate Chancellery should use Dataport, the central service provider used by other German states such as Schleswig-Holstein. Kühn said that it was ‘incomprehensible’ to use what he described as a ‘legally highly problematic system’.
The Hamburg authority has been a vocal advocate for a more stringent GDPR application in the EU.
“It’s disappointing to see regulators pushing back against the use of widespread tech platforms which facilitate global communications, particularly at a time when many of us are still restricted from travelling due to the pandemic,” said Omer Tene, Vice President and Chief Knowledge Officer at the International Association of Privacy Professionals.
Tene adding that block the use of the Zoom platform “wasn’t the goal of the GDPR”.
A spokesperson from Zoom told EURACTIV the company is “committed to complying with all applicable privacy laws, rules, and regulations in the jurisdictions within which it operates, including the GDPR.”
[Edited by Benjamin Fox]