Forget “you’re on mute”, “I’m not a cat” or “you have no authority here, Jackie Weaver”, is the latest formal warning from the Hamburg Commissioner for Data Protection and Freedom of Information (Hamburg DPA) about to become the biggest Zoom story this year? This week’s formal warning issued under Article 58(2)(a) of the GDPR to the regional Senate Chancellery of Hamburg states that using Zoom violates the GDPR as it involves the transfer of personal data to the US, for which there is no valid legal basis. You know what is coming next…because of the Schrems II judgment and the striking down of the privacy shield the Hamburg DPA believes “the data of government employees and external participants in the conversation are exposed to the risk of unprovoked state mass surveillance in the USA, against which there are no sufficient legal protection options”.
The Hamburg DPA goes on to say that the EDPB recommendations for international data transfers to third countries are the basis on which transfers may take place. In other words when transferring personal data outside the EU the Senate Chancellery will need to be able to show they have undertaken the necessary due diligence in order to be able to demonstrate compliance with the GDPR. In particular, the Senate Chancellery would need to be able to show they have assessed the surveillance laws of the recipient processor’s country (or that of any sub-processors), and where they are incompatible with EU law demonstrate which appropriate supplementary measures they have put in place to ensure the protection of the personal data being transferred. The Hamburg DPA say the documents submitted by the Senate Chancellery on their use of Zoom show the recommendations are not being met and therefore the Hamburg DPA have formally warned against using Zoom.
Ulrich Kühn, the acting Commissioner of the Hamburg DPA said it is “incomprehensible” why the Senate Chancellery was continuing to contravene EU law in order to use Zoom, while also pointing out Dataport, a not-for-profit IT service provider for regional and local administrations, had a video conferencing tool readily available and it was “unproblematic with regard to third-country transmission.”
Is this latest decision a surprise? Given the location of the DPA, the involvement of a public authority, the fact we have a US based parent company, as well as the ongoing investigations by the European Data Protection Supervisor into US-based cloud services used by the EU institutions, bodies and agencies, probably not. Will the Senate Chancellery capitulate and adopt the Dataport solution or will they proceed with the use of Zoom, possibly providing the requested compliance documents and see what happens? Well only time will tell.
As a final point, let’s not forget that Germany’s own surveillance agencies themselves are hardly paragons of virtue - "Court curbs German spy agency's bugging abroad" – and one does wonder whether certain regulators in Germany, as they continue to hold court on the alleged “mass surveillance” regimes of other nations, are aware of how sweetly ironic their position is.
"Public authorities are particularly bound to comply with the law. It is therefore more than regrettable that such a formal step had to be taken."