Hamburg’s data protection officer warns Senate about zoom


The acting Hamburg data protection officer, Ulrich Kühn, officially warns the Senate Chancellery of the Hanseatic city against the use of the video conference solution from Zoom in the so-called on-demand version, in which, for example, webinars can be recorded in the cloud for later retrieval. This violates the General Data Protection Regulation (GDPR) because it would transfer personal information to the USA.

In this third country there is insufficient protection for such data, warns the data protection officer. This is particularly in the light of the “Schrems II ruling” of the European Court of Justice and the associated end for the transatlantic Privacy Shield unsustainable. A data transfer is therefore only “possible under very tight conditions”. These were not available when the Senate Chancellery planned to use Zoom. The participants’ data would be “exposed to the risk of unjustified mass surveillance in the USA against which there are insufficient legal protection options”.

The data protection officers of the federal and state governments recommended in an orientation guide in October that video conferencing systems from US providers “should be carefully checked” before use. Businesses, government agencies and other organizations could not easily use applications such as Microsoft Teams, Skype, Zoom, Google Meet, GoToMeeting and Cisco WebEx. According to the Data Protection Conference (DSK), anyone who uses the alternative standard contractual clauses for data export after the Privacy Shield has broken off must “analyze the legal situation in the third country with regard to official access and legal protection options for data subjects”.

Kühn also refers to further requirements of the European Data Protection Committee (EDSA) in order to be able to transmit personal data in accordance with the GDPR to a third country like the USA. This standard based on the supervisory authority in the economy as well as in public administration. However, the documents submitted by the Senate Chancellery for the project with Zoom indicated that these requirements were not being met. Other legal bases such as the consent of all parties concerned cannot be used here either.

The Senate Chancellery in Hamburg is in charge of digitization issues. Kühn explains that you have informed you about relevant plans at an early stage. The authority was then not ready to “respond to repeatedly raised concerns”. Even the initiation of a formal procedure through a hearing in mid-June did not lead to any rethinking. The Senate Chancellery “did not submit documents to the supervisory authority either within the set deadline or afterwards, or provided arguments that would allow a different legal assessment”.

The formal warning is therefore “a logical step”, albeit a regrettable one, says Kühn. In the Hanseatic city, all employees have “a proven video conference tool that is unproblematic with regard to third-country transmission across the board”. The central IT service provider for the coastal countries, Dataport, also provides “additional video conference systems in its own data centers”. These would be used successfully in Schleswig-Holstein, for example. It is therefore incomprehensible “why the Senate Chancellery insists on an additional and legally highly problematic system”.


To home page