Woman using Zoom application on mobile phone showing GDPR violation for data transfers

Hamburg DPA Says Zoom Is Not Compliant With GDPR Due to U.S. Data Transfers, No Longer Allowed for State Government Agencies

The outcome of the Schrems II ruling last year continues to plague tech companies operating in Europe, with Zoom the latest to find itself in potential legal difficulty. Germany’s lead data protection authority (DPA) has determined that Zoom’s data transfers to the United States are in violation of the terms of the General Data Protection Regulation (GDPR) in light of the Schrems ruling, and has issued a formal warning to members of the state government to stop use of the popular video conferencing platform.

While the DPA has said that this is the end of formal actions for the moment, the suspension of data transfers to the U.S. is a future possibility given the lack of good alternatives. The EU and U.S. continue to work on a new agreement with no timeframe in place, while many companies have turned to much more complex contractual agreements and expanded scope of strong encryption as a stopgap solution.

Zoom’s U.S. Data Transfers Fall Afoul of Updated GDPR Interpretations

At the moment, this warning is limited to the state government of Hamburg. The written warning states that the Senate Chancellory’s use of the popular video conferencing tool is a violation of the GDPR due to its data transfers to the US. The Senate Chancellory had previously been asked to address concerns about use of Zoom in June and failed to provide an adequate response.

The source of the issue is the Schrems II case ruling of 2020 by the European Court of Justice, which established that data transfers to the U.S. violate the GDPR due to known U.S. government policies of requiring access to foreign data (primarily the Foreign Intelligence Surveillance Act and the Clarifying Lawful Overseas Use of Data (CLOUD) Act). This includes protected personal data. This created a major problem for most of the large tech platforms that operate in the EU, which generally send personal data freely between the two continents for processing that is often handled on the U.S. side.

Though the terms of the ruling technically banned these international data transfers immediately, consequences for companies engaging in them have been slow in the coming. Things were generally on pause into 2021 as an appeal by Facebook was reviewed by the Irish data protection authority. A ruling this past June established that Facebook was in violation of the new terms and was required to suspend its data transfers; by extension, that meant every other tech platform engaging in similar practices.

There are no quick fixes for the situation. The EU and the Biden administration are discussing a legal agreement that will satisfy the terms of the GDPR, but the major obstacle is that the U.S. does not have a federal-level data privacy law that guarantees personal privacy. A law of comparable strength would have to be adopted for normal data transfers to resume without special measures.

Use of SCCs to comply with GDPR

In the interim, some companies are relying on beefed-up standard contractual clauses (SCCs) that specifically guarantee that personal data transferred to the U.S. cannot be accessed by the government; that generally means that everything is encrypted. Others are looking at transferring all data storage and handling involving EU subjects to EU countries. This is the solution proposed in this particular case, with the Senate Chancellory being taken to task by the Hamburg DPA for not using a local videoconferencing alternative called Dataport that already has contracts throughout the German government.

Zoom has made adjustments in an attempt to stay compliant with the GDPR rules, employing an SCC that lays out special data handling rules for site visitors and users that are flagged as being located in the EU. But the DPA has found that Zoom has not fully satisfied the conditions that validate post-Schrems SCCs, such as performing a required series of risk assessments. Organizations that go the SCC route are required to demonstrate an “essentially equivalent” level of protection of data transfers that matches the terms required by the GDPR. Zoom has issued a statement in response to the issue saying that it is committed to complying with all EU laws.

EU government agencies have been the early targets of Schrems enforcement, with the EU’s lead data protection authority opining that it is the responsibility of these entities to lead by example. The path forward for private organizations is less clear, with many trying to cobble together the same sort of SCCs that Zoom has in place in a regulatory environment that remains uncertain after one full year. Some of the largest and best-funded tech companies are exercising the option of moving all EU data processing to local data centers; Microsoft has announced its intention to do exactly this by the end of 2022 as EU authorities investigate the GDPR legality of use of its various cloud services in international data transfers.