Zoom incompatible with GDPR, claims data protection watchdog for the German city of Hamburg

Takes aim at US videoconferencing software as tech world+dog calls lawyer for a quick chat

Updated The acting Hamburg Commissioner for Data Protection and Freedom of Information has officially warned the city's Senate Chancellery not to use the on-demand version of Zoom's videoconferencing software.

Referring to the European Court of Justice Schrems II decision of July 2020, Ulrich Kühn claimed the software violates the EU General Data Protection Directive (GDPR) as "such use is associated with the transmission of personal data to the US."

Kühn stated bluntly:

A data transfer is therefore only possible under very strict conditions, which are not available when the Senate Chancellery is planning to use Zoom.

Dr Gabriela Zanfir-Fortuna, Future of Privacy Forum director, publicly speculated this morning that Zoom had relied "on SCCs, but with insufficient supplemental measures," opining: "A pattern emerges showing public offices, gov agencies & their US-based service providers as the immediate target of Schrems II enforcement... It's going to be a busy fall, folks."

Neil Brown, director at tech-savvy virtual English law firm, told The Register he interpreted the "somewhat oblique" press release to mean the Hamburg DPA considers that Zoom "does not ensure a level of protection for personal data which is 'essentially equivalent' to that afforded by the GDPR."

Brown added: "Many businesses used to address the international transfers aspect of the GDPR by incorporating the model contract clauses/SCCs into their contracts with organisations in non-adequate jurisdictions.

"In Schrems II, the CJEU said that these were not, in themselves, sufficient, and that a transferring controller must do a comprehensive risk assessment, and put appropriate additional measures in place to ensure 'essentially equivalent' protection.

"And that came as a shock to a lot of people, since it rather suggested that the model clauses were not fit for purpose. And, lo and behold, there is a new European set, which is a heck of a lot more complicated."

Kühn's pronouncement further in the warning (via Google Translate) that the Senate Chancellery had been "unwilling to respond to ... repeated concerns" and had missed deadlines to submit documents and arguments also caught the eye. Brown told The Reg this suggested that the "warning stemmed, at least in part, from a seeming lack of cooperation" by the Senate Chancellery, speculating this might have to do with "political infighting."

As for the larger implications of the Schrems II ruling, including the fresh SCCs, Brown commented that it was: "Good news for lawyers, for self-hosted solutions, and for service providers which do not need to transfer personal data to non-adequate jurisdictions. Less good news for anyone facing a pile of new paperwork and lawyers' bills."

Zoom has said its products feature "an explicit consent mechanism for EU users" on its platform and that it has implemented "zero-load" cookies for users whose IP address show they are accessing the site from a EU member state.

Under the heading "European Data Protection Specific Information," Zoom has said:

Where personal data of users in the EEA, Switzerland, or the UK is being transferred to a recipient located in a country outside the EEA, Switzerland, or the UK which has not been recognized as having an adequate level of data protection, we ensure that the transfer is governed by the European Commission's standard contractual clauses.

We have asked the firm for clarification. The page was last updated on 4 June 2021 – the same day the European Commission published its final Implementing Decision adopting several new standard contractual clauses for the transfer of personal data to third countries. The new SCCs – serving orgs making data transfers to and from the EU and covering both the European processor and the US controller – were responses to deficiencies in previous SCCs brought to light in the Schrems II ruling. The fact that the update happened on the same day might lead an onlooker to assume the fresh SCCs were implemented... which leads to more questions.

Mind the Brexit gap

The UK's Information Commissioner is currently working on its own draft international data transfer agreement. The regulator also recently moved to draft a UK-specific contractual addendum so that the county will be able bolt on those new EU standard contractual clauses on the international transfer of personal data to allow use of the European Commission's new SCCs in a UK context. After all, Brexit meant Brexit.

In the background is the report from the Taskforce on Innovation, Growth and Regulatory Reform (TIGRR), characterised by a Reg colleague as "a Brexit goon-squad of Tory MPs" which has taken aim at Article 5 of GDPR, which states among other things that data should be "collected for specified, explicit and legitimate purposes" and be "adequate, relevant and limited to what is necessary." The report moaned that this limited "AI organisations from collecting new data before they understand its potential value and they also mean that existing data cannot be reused for novel purposes."

The Commission formally announced its adoption of adequacy decisions for the UK [PDF] on 28 June, which would have been a relief to many businesses in the country relying on EU data flows. However, as critics have pointed out, the adequacy designation may not necessarily stand should a determined effort be made to divert UK legislation too far from the protections afforded to citizens of the EU.

We have asked Zoom for comment. ®

Updated to add at 12:07 UTC on 18 August 2021

Zoom has been in touch to say: "Zoom is proud to work with the City of Hamburg and many other leading German organizations, businesses and education institutions. The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us. Zoom is committed to complying with all applicable privacy laws, rules, and regulations in the jurisdictions within which it operates, including the GDPR."

Send us news

Spain, Austria not convinced location data is personal information

Privacy group NOYB sues to get telcos to respect GDPR data access rights

Some authorities in Europe insist that location data is not personal data as defined by the EU's General Data Protection Regulation.

EU privacy group NOYB (None of your business), set up by privacy warrior Max "Angry Austrian" Schrems, said on Tuesday it appealed a decision of the Spanish Data Protection Authority (AEPD) to support Virgin Telco's refusal to provide the location data it has stored about a customer.

In Spain, according to NOYB, the government still requires telcos to record the metadata of phone calls, text messages, and cell tower connections, despite Court of Justice (CJEU) decisions that prohibit data retention.

Continue reading

US lawsuit alleges tool used by hospitals shares patient data with Meta

Booking appointments and other interactions with hospital portals can lead to some medical details being shared for advertising, class action claims

Social media megacorp Meta is the target of a class action suit which claims potentially thousands of medical details of hospital patients were shared with its Facebook brand.

The proposed class action [PDF], filed on Friday, centers on the use of Facebook Pixel, a tool for website marketing and analytics.

An anonymous hospital patient, named John Doe in court papers, is bringing the case — filed in the Northern District of California — alleging Facebook has received patient data from at least 664 hospital systems or medical providers, per the suit.

Continue reading

Behind Big Tech's big privacy heist: Deliberate obfuscation

You opted out, but you didn't uncheck the box on page 24, so your data's ours...

Opinion "We value your privacy," say the pop-ups. Better believe it. That privacy, or rather taking it away, is worth half a trillion dollars a year to big tech and the rest of the digital advertising industry. That's around a third of a percent of global GDP, give or take wars and plagues. 

You might expect such riches to be jealously guarded. Look at what those who "value your privacy" are doing to stop laws protecting it, what happens when a good law  gets through, and what they try to do to close it down afterwards. 

The best result for big tech is if laws are absent or useless. The latest survey of big tech lobbying in the US reveals a flotilla of nearly 500 salespeople/lawyers touring the US state legislatures, trying to either draw up tech friendly legislation to insert into privacy bills, water then down through persuasion, or just keep them off the books.

Continue reading

Lawyers say changes to UK data law will make life harder for international businesses

Concerns raised over government drive to implement distinct post-Brexit policy

Legal experts say UK government plans to create new data protection laws will make more work and add costs for business, while also creating the possibility of challenges to data sharing between the EU and UK.

Last week, the Queen's Speech – in which the British government sets out its legislative plans – said the ruling Conservative party planned to replace the EU's General Data Protection Regulation (GDPR) to ease the burden on business with an approach to data protection that encourages innovation while retaining protection of personal data and privacy.

Continue reading

Patch now: Zoom chat messages can infect PCs, Macs, phones with malware

Google Project Zero blows lid off bug involving that old chestnut: XML parsing

Zoom has fixed a security flaw in its video-conferencing software that a miscreant could exploit with chat messages to potentially execute malicious code on a victim's device.

The bug, tracked as CVE-2022-22787, received a CVSS severity score of 5.9 out of 10, making it a medium-severity vulnerability. It affects Zoom Client for Meetings running on Android, iOS, Linux, macOS and Windows systems before version 5.10.0, and users should download the latest version of the software to protect against this arbitrary remote-code-execution vulnerability.

The upshot is that someone who can send you chat messages could cause your vulnerable Zoom client app to install malicious code, such as malware and spyware, from an arbitrary server. Exploiting this is a bit involved, so crooks may not jump on it, but you should still update your app.

Continue reading

Tech pros warn EU 'data adequacy' at risk if Brexit Britain goes its own way

Show us that benefits outweigh the cost, BCS challenges government

BCS, The Chartered Institute for IT, has warned that proposed changes to Britain's data protection rules must not put the flow of data between the EU and the UK at risk.

The professional body said the supposed benefits of a leaner data protection regime – something the government promised last week – should not come at the expense of the UK's current "data adequacy" arrangement with the EU.

The UK remained compliant with the EU's General Data Protection Regulation (GDPR) when it formally left the EU at the end of 2020. Its interpretation of EU law meant that the trading bloc gave the UK an "adequacy" ruling, permitting data sharing across the border.

Continue reading

Europe's GDPR coincides with dramatic drop in Android apps

Privacy rules increase cost, reduce choice, slash revenues, study concludes

Europe's data protection regime has reduced the number of apps available in Google Play by "a third," increased costs, and reduced developer revenues, according to a study published Monday.

And with higher costs, fewer apps are being created, to the detriment of consumers and the mobile app economy, it claims.

"At the start of our sample period in July 2016, our data on the contain 2.1 million apps in the Google Play Store, while AppBrain reported 2.2 million.26 The number of Play Store apps in our sample then rises to 2.8 million in the fourth quarter of 2017, then falls by almost one million – about 32 percent – by the end of 2018. Available apps in AppBrain saw a similar decline, by 31 percent between the beginning of 2018 and the end of 2018

Continue reading

Zuckerberg sued for alleged role in Cambridge Analytica data-slurp scandal

I can prove CEO was 'personally involved in Facebook’s failure to protect privacy', DC AG insists

Cambridge Analytica is back to haunt Mark Zuckerberg: Washington DC's Attorney General filed a lawsuit today directly accusing the Meta CEO of personal involvement in the abuses that led to the data-slurping scandal. 

DC AG Karl Racine filed [PDF] the civil suit on Monday morning, saying his office's investigations found ample evidence Zuck could be held responsible for that 2018 cluster-fsck. For those who've put it out of mind, UK-based Cambridge Analytica harvested tens of millions of people's info via a third-party Facebook app, revealing a – at best – somewhat slipshod handling of netizens' privacy by the US tech giant.

That year, Racine sued Facebook, claiming the social network was well aware of the analytics firm's antics yet failed to do anything meaningful until the data harvesting was covered by mainstream media. Facebook repeatedly stymied document production attempts, Racine claimed, and the paperwork it eventually handed over painted a trail he said led directly to Zuck. 

Continue reading

Kasten by Veeam adds ransomware detection to K10 data management platform

Catching compromise attempts before kicking off that recovery plan

Kubecon Veeam acquisition Kasten kicked off this year's Kubecon with an updated version of its K10 product, aimed at securing the Kubernetes container orchestration platform.

Now known as "Kasten by Veeam", the company told the Valencia-based conference that version 5 of the K10 Kubernetes backup and data protection suite includes extra ransomware defenses.

K10 has received a number of updates since Kasten's acquisition by Veeam. Version 4.5 added coverage for platforms including Kafka, Cassandra, and the K3s Kubernetes distribution.

Continue reading

China's vice premier Liu He advocates technology and government cooperation

After years of crackdowns, Beijing changing its tune on the industry

The vice premier of China and Xi Jinping's economic right hand man, Liu He, has offered a rare show of support to China's tech industry – both domestic and abroad.

According to state-sponsored media, Liu told around 100 members of the Chinese People's Political Consultative Congress (CPPCC) it is important to have a good relationship between the government and tech, and to research and support specific measures that grow the platform economy.

"It is necessary to wage a successful battle for the strategic ground of critical core technologies," Liu said, according to Xinhua news agency.

Continue reading

Zoom agrees privacy conditions, gets low-risk rating from Netherlands

Warn users there's no E2EE when using it via the browser, DPIA tells institutions

Hot on the heels of Microsoft's report card from the Dutch department of Justice and Security comes news of rival messaging platform Zoom receiving a nod via a renewed Data Protection Impact Assessment (DPIA).

The assessment was performed by the Privacy Company and was commissioned by SURF (the purchasing organisation for Netherlands' universities.)

The first assessment kicked off in 2020 and by May 2021 [PDF] concluded that there were nine high and three low data protection risks for users of the video conferencing platform.

Continue reading

AI-powered browser extension to automatically click away cookie pop-ups now promised

Tool disables non-essential tokens

A team of researchers at University of Wisconsin-Madison and Google say they have found a way to use artificial intelligence to neutralize manipulative cookie consent pop-ups that have become ubiquitous on the web.

The project, revealed this month and dubbed CookieEnforcer, has the goal of automating the clicking through of choices in these online consent forms to disable all non-essential cookies on a website. The resulting software can therefore spare netizens from having to manually reject cookies presented by a website.

When confronted with cookie popups, which are required by European law and other legislation, many users simply click "accept all," despite the fact that unnecessary cookies may compromise privacy, the project's paper stated. Some of the organizations forced to implement these pop-ups have designed them specifically to be tricky to navigate, or use dark patterns to fool someone into selecting the opposite desired option, to discourage people from disabling tracking cookies.

Continue reading