Hamburg’s state government has been formally warned against using Zoom over data protection concerns.
The German state’s data protection agency (DPA) took the step of issuing a public warning yesterday, writing in a press release that the Senate Chancellory’s use of the popular videoconferencing tool violates the European Union’s General Data Protection Regulation (GDPR) since user data is transferred to the US for processing. The DPA’s concern follows a landmark ruling (Schrems II) by Europe’s top court last summer which invalidated a flagship data transfer arrangement between the EU and the US (Privacy Shield), finding US surveillance law to be incompatible with EU privacy rights.
The fallout from Schrems II has been slow to manifest — beyond an instant blanket of legal uncertainty. However a number of European DPAs are now investigating the use of US-based digital services because of the data transfer issue, and in some instances publicly warning against the use of mainstream US tools like Facebook and Zoom because user data cannot be adequately safeguarded when it’s taken over the pond. German agencies are among the most proactive in this respect. But the EU’s data protection supervisor is also investigating the bloc’s use of cloud services from US giants Amazon and Microsoft over the same data transfer concern. German government bodies urged to remove their Facebook Pages before next year.
At the same time, negotiations between the European Commission and the Biden administration to seek a replacement data transfer deal remain ongoing. However EU lawmakers have repeatedly warned against any quick fix — saying reform of US surveillance law is likely required before there can be a revived Privacy Shield. And as the legal limbo continues a growing number of public bodies in Europe are facing pressure to ditch US-based services in favor of compliant local alternatives.