Does Zoom Violate the GDPR?

The Hamburg Commissioner for Data Protection issued a press release yesterday which noted that it has warned the city government about its use of the on-demand version of Zoom. The Commissioner believes that Zoom does not comply with the provisions of the General Data Protection Regulation. Data is transferred by Zoom to the United States, which has been judged to have inadequate privacy safeguards. (See the post on the Schrems II decision in the Tip of the Night for July 22, 2020.) The Commissioner determined that Zoom was not following the rules set by the European Data Protection Committee for the transfer of data to the United States.


The Commissioner issued a formal warning to the Hamburg Senate under Article 58(2) of the GDPR that processing operations in Zoom were likely to infringe the GDPR.


The on-demand version of Zoom is in effect a one-way webinar in which the participants cannot interact with the hosts as they would in a normal Zoom session. On-demand webinars are stored in the cloud, and are available to webinar registrants later on.


The Commissioner specifically recommended the use of a different video conferencing program.