First, the EU data protection authorities (DPAs) came for your newsletter (Mailchimp). Then, they came for your cloud storage provider (Cloudflare). And on Monday, the Hamburg DPA said using Zoom could be incompatible with the GDPR’s data transfer rules.
That’s right—the use of Zoom video conferencing software has been declared incompatible with the GDPR in the light of Schrems II.
Does this mean your organisation has to stop using Zoom? Quite possibly.
Let’s take an in-depth look at what we know—and what we don’t know—about this decision.
What’s the background?
The Hamburg DPA is known as one of the EU’s most rigorous data protection regulators. For example, Hamburg issued the €35 million fine against H&M last October—the second-largest GDPR fine on record at the time.
On 16 August 2021, the Hamburg DPA issued a decision concerning the proposed use of Zoom by Hamburg’s Senate Chancellery, a public body that serves as the seat of the region’s mayor.
It appears that the Senate Chancellery had consulted with the DPA about the possibility of using Zoom, and the DPA had repeatedly expressed concern about the proposal.
Despite the DPA’s protestations—and despite “the initiation of a formal procedure” by the DPA in June—the Senate Chancellery apparently continued to press ahead with its Zoom plans.
As a result, the Senate Chancellery received a warning under GDPR Art. 52 (2) (a).
What do we know about this decision?
Apart from a press release (which has been unofficially translated into English), we don’t have a lot of detail about the Hamburg DPA’s decision yet.
But the press release makes some bold and emphatic statements about using Zoom—and provides some limited but revealing reasoning.
As such, this decision can teach us some important lessons about international data transfers, and about the use of Zoom within the EU.
First: Some caveats
There are a few things to note before drawing any generalised conclusions from the Hamburg DPA’s Zoom decision.
Firstly, this decision concerns the use of Zoom’s “on-demand” recordings. On-demand recordings require users to register before receiving access to a Zoom session.
This is important to note, as some other methods of accessing Zoom do not require the user to set up a Zoom account or register with the meeting host.
Does that mean the Hamburg Senate Chancellery would have avoided this problem if it had used a different variant of Zoom? Probably not. There’s no obvious way to participate in a Zoom meeting without sharing some personal data with Zoom.
But it’s possible that the Hamburg DPA’s decision would have been different if the Senate Chancellery had implemented Zoom in a way that collects less personal data.
Secondly, this decision is specific to the Hamburg Senate Chancellery—Zoom itself has not been penalised, and the decision might not apply in the same way to other organisations using Zoom.
The DPA’s press release quotes an apparently frustrated Hamburg Data Protection Commissioner saying that it is “incomprehensible” why the Senate Chancellery “insists” on using Zoom when an EU-based alternative platform (“Dataport”) is available.
But while there is an internal (and possibly political) dimension to this decision, the press release does make clear that the Hamburg DPA applies the international data transfer rules in “the economy as well as in public administration.”
So what’s wrong with using Zoom in the EU?
As mentioned, the Senate Chancellery’s proposed use of Zoom was deemed unlawful due to how Zoom transfers personal data outside of the EU.
The Hamburg DPA says using Zoom “violates the GDPR” because it “involves the transfer of personal data to the USA” without “sufficient protection for such data in this third country.”
The DPA reiterates that the invalidity of data transfers to the U.S. was established by the CJEU’s Schrems II decision, made in July last year.
The DPA further reminds us that Schrems II invalidated Privacy Shield, the data-transfer mechanism that enabled free flows of personal data from the EU to the U.S.
Does Zoom rely on Privacy Shield?
No, according to Zoom’s Privacy Statement, the company relies on standard contractual clauses (SCCs) when transferring personal data to any third country that “has not been recognised as having an adequate level of data protection.”
Despite this, the DPA’s press release does not mention SCCs. But the DPA does say that data transfers to the U.S. are only possible “under very narrow conditions, which do not exist with the planned use of Zoom by the Senate Chancellery.”
What are these “narrow conditions?”
To recap: The invalidation of Privacy Shield was one of two important implications of Schrems II. The other major effect of the decision was that SCCs in themselves could also no longer be relied on for many EU-U.S. data transfers.
As noted at paragraph 133 of the Schrems II decision, SCCs only provide contractual guarantees—transfers may also require “supplementary measures” to protect personal data against interception.
The European Data Protection Board (EDPB) issued recommendations on supplementary measures, finalised this June, setting out the various legal and technical steps to bring international data transfers into GDPR compliance.
So does Zoom not apply any supplementary measures to protect transferred data?
The Hamburg DPA doesn’t explicitly say that Zoom has failed to apply any of the EDPB’s supplementary measures—and remember, this decision is against the Senate Chancellery, not Zoom itself.
So let’s take a look at Zoom’s Data Processing Agreement (DPA), which Zoom calls its “Global Data Processing Addendum.” The publicly available version of this agreement is applicable from May 2021.
Zoom’s DPA contains the old set of controller-processor SCCs—C(2010) 593—adopted in 2010 and updated in 2018.
Zoom’s DPA also sets out the technical and organizational security measures that Zoom takes to protect personal data, which include (among other measures):
- The use of pseudonymisation and encryption
- Access controls and authentication measures
- A security awareness program for Zoom employees
Aren’t these security measures sufficient?
Bear in mind that these security measures aren’t specific to the context of international data transfers.
Zoom’s DPA specifies that data “must be protected and should be encrypted, both in transit and at rest.” Note the “should”—there may be situations in which Zoom cannot encrypt or pseudonymise personal data for technical reasons.
In its supplementary measures recommendations, the EDPB notes that under certain circumstances, there are no known technical measures that can sufficiently safeguard personal data that has been transferred to third countries like the U.S.
At paragraph 94 of its recommendations, the EDPB states that it is “incapable of envisioning an effective technical measure to prevent that access from infringing on the data subject’s fundamental rights” where:
- The data importer “needs access to the data in the clear” (i.e. not pseudonymised or encrypted) in order to execute its assigned tasks, and
- The data importer is subject to laws that go “beyond what is necessary and proportionate in a democratic society.”
It is possible that Zoom meets both of these criteria (it certainly meets the latter)—in which case the validity of the company’s data transfers is questionable regardless of any potential security measures.
So can we conclude that Zoom did not take supplementary measures to safeguard personal data in addition to SCCs?
We can’t conclude for certain that Zoom failed to implement supplementary measures as required by Schrems II, as the Hamburg DPA’s press release does not provide sufficient detail.
However, I’d speculate that this is indeed the problem here
But it’s important not to conflate this with the other privacy and security-related issues that have befallen Zoom since its user base exploded early last year.
There is no allegation that Zoom’s data security practices are particularly poor. For example, the Hamburg DPA’s issues are likely not directly related to the issues raised in the class action against Zoom that was preliminarily settled in California earlier this month.
The issues with Zoom are probably the same as those identified by the Bavarian DPA regarding the use of Mailchimp back in March, or that the Portuguese DPA identified regarding Cloudflare this April.
Schrems II is, gradually, starting to bite—and without legal reform or a high-level diplomatic agreement, it remains unclear how many data transfers to from the EU to U.S.-based companies can ever be compliant with the GDPR.
Does the Zoom decision teach us anything new?
Besides reiterating the existing problems with reliance on SCCs, there’s another interesting potential lesson about international data transfers.
The Hamburg DPA says in its press release that “other legal bases such as the consent of all data subjects are… not relevant here.”
This may be a reference to another potential international data transfer mechanism, provided GDPR Art. 49 (1) (a). Under the GDPR’s “derogations for specific situations,” it is possible to transfer personal data to a third country where the data subject has “explicitly consented.”
Since Schrems II, there has been some discussion around whether the GDPR’s derogations could provide a suitable alternative to SCCs.
The Hamburg DPA’s press release suggests that relying on consent for international data transfers might not be lawful when using Zoom or similar platforms.
In conclusion
- The Hamburg DPA’s decision implies that it is unlawful for US-based data controllers to use Zoom.
- This decision is specific to one controller—the Hamburg Senate Chancellery—and to one Zoom implementation—”on-demand” mode. However, it’s reasonable to draw broader conclusions from the decision with these caveats in mind.
- Zoom relies on SCCs to transfer personal data to the U.S. It is possible that Zoom did not—and perhaps could not—implement supplementary measures to protect EU data subjects’ personal data.
- The Hamburg DPA states that relying on data subjects’ consent would not have solved this problem.
Are you confused about international data transfers?
Over a year on from Schrems II, there are still no easy answers on international data transfers.
Despite new SCCs, new supplementary measures guidance, and technical solutions that may help in some cases, many unanswered questions remain.
If you’re interested in finding solutions that might work for your organisation, PrivSec Global will feature panels on data transfers in the wake of Schrems II. The event takes place on 22-23 September 2021.
Panellists will discuss the implications of DPA and court decisions, and consider the possible ways forward for international data flows.
PrivSec Global September
A Global Live Stream Experience | 22 - 23 September 2021
No comments yet