Germany’s lead data protection agency (DPA) found Zoom to be incompatible with EU privacy standards, signaling European regulators are turning their sights to U.S.-based digital services, including some widely used by companies.
The German DPA issued a public warning to Hamburg’s state government on the use of Zoom, saying that the service is no longer in compliance with the EU’s General Data Protection Regulation following the Schrems II ruling due to data transfers to the U.S.
Last year, the top EU court invalidated the EU-U.S. Privacy Shield in the Schrems II ruling, requiring companies to reevaluate their contractual agreements used to access European personal data. In addition, the European Commission recently published new standard contractual clauses (SCCs) and required companies to stop using the old SCCs in new contracts by Sept. 27, 2021, and transition to the new SCCs in existing contracts by Dec. 27, 2022.
A number of European DPAs are investigating the use of U.S.-based digital services in response to the Schrems II ruling, according to reports. Among these are Facebook and popular cloud services from U.S. companies, in addition to Zoom.
Outlook: Negotiations between the Biden administration and European Commission to find a new data transfer deal are ongoing. Meanwhile, U.S. federal legislators struggle to come to agreement on privacy legislation. Looking ahead, the use of U.S.-based technology services will continue to come under scrutiny in the EU, with the potential for additional disruptive decisions.