back to article Zoom incompatible with GDPR, claims data protection watchdog for the German city of Hamburg

The acting Hamburg Commissioner for Data Protection and Freedom of Information has officially warned the city's Senate Chancellery not to use the on-demand version of Zoom's videoconferencing software. Referring to the European Court of Justice Schrems II decision of July 2020, Ulrich Kühn claimed the software violates the EU …

  1. Dinanziame Silver badge

    I'm confused; is Zoom supposed to change the way their software works, or change their T&Cs to make them compatible with the GDPR?

    1. GiantKiwi

      At this point, pretty much both options.

    2. Joe W Silver badge

      I guess it's more of a note to the Chancellary of the Senate of the Free Hanseatic Town of Hamburg to stop using the on-demand service of Zoom. Pronto.

      Should zoom change the way their on-demand service works or how the T&Cs are worded, zoom could again be used. Although I really do wonder why they should use it anyway, as several states are indeed self hosting own platforms (don't know if Zoom is among them, I believe Skype and WebEx are... another good candiate - if there is an on-prem version - would be Microsoft Teams), but I'm really not sure if Hamburg does have its own servers for web conferences / meetings / video calls.

      So, yeah, this is how it is supposed to work: a service cannot be offered in the EU (and very definitely should not be used by the government!) if it does not comply with GDPR.

      1. big_D

        There are plenty of tools and services that are compliant, like Jitsi, Big Blue Button etc. That are either self-hosted or hosted by EU-only companies, which are compliant.

        1. Joe W Silver badge

          Exactly. Though I am sure that for use by government bodies the rules are quite a bit stricter than just "GDPR-compliant", or at least they should be.

          So why they do seem to insist on using Zoom is unclear to me (ok, it's not, it will be "but my son uses it in school, so I am familiar with it" - or something along these lines).

          1. SImon Hobson Silver badge

            So why they do seem to insist on using Zoom is unclear to me

            It's there, it's reasonably priced, it's fairly easy to use - and also, I've found that it's fairly easy on system resources on my aging old laptop.

          2. Paul Crawford Silver badge

            It usually sucks less than the others (Teams, WebEx, etc) in my experience.

            Of course it might be sucking personal data more...

            1. big_D

              I've used mainly Teams and haven't had any problems with it. On the other hand, my first Zoom call was a nightmare, trying to get sound working.

              I guess it is what you are used to and what you use regularly.

            2. Anonymous Coward
              Anonymous Coward

              Zoom & Teams suck

              Zoom sucks at least on a still very powerful Galaxy S10. That gets rather warm and drains about 50% of battery in 90 minutes. Guess their devs haven't heard about hardware acceleration.

              As for Teams, measured by supposedly being professional, it suuuuucks! ▼ no search worthy of that name ▼ lagging status display (my colleagues asked me how I could be shown offline while in a Teams meeting!) ▼ not a Windows app (freezes when waking up on a different size monitor) ▼ lousy Outlook integration (when opening a meeting from notifier, that stays open behind Teams, and doesn't popup again until dug up and explicitly closed)

          3. martinusher Silver badge

            >So why they do seem to insist on using Zoom is unclear to me

            Having tried some of the alternatives I guess its because "it just works" -- unlike those alternatives.

            I'm not a videoconference enthusiast. I just resent spending hours messing with my system because its not got the right browser, the right version of Windows or whatever. Zoom works on anything (including my usual Waterfox/Linux setup).

          4. Scene it all

            Jitsi looks pretty identical to Skype on the screen. And its free. Anyone familiar with setting up a Linux web service can install it. If you use a flexible cloud-like infrastructure (even in-house) you can size the resources to the size of a meeting. And the custom backgound feature in the latest version is pretty cool.

        2. Carlitos911

          It's the one the boss heard about on TV, or from his nephew that "works in computers", so it must be the best thing ever.

          In my experience that's how these decisions are made.

    3. katrinab Silver badge
      Happy

      No, they are supposed to change the way their software works, and change their T&Cs to make them compatible with the GDPR.

      1. Doctor Syntax Silver badge

        Not so much the software as the way the entire system works so that no entity with exposure to US legislation can get its hands on the data. Licensing the IP to an EU franchisee with a strictly hands-off clause for the franchisor might do the trick.

        1. GuildenNL

          Meanwhile there is considerable concern still on the USA about Zoom's ties with China.

          1. gandalfcn Silver badge

            The USA should be more concerned about itself and its totally dysfunctional country.

        2. aks

          As far as I can read, the EU want all servers to be within the EU and no data to flow outside of it and its rules. Plenty of AWS/Azure/etc servers within the EU.

          The second objective of Brussels is for the software (as well as the hardware) to be written in the EU.

          It all reminds me of Apple's walled garden.

          1. big_D

            No, they are perfectly happy for the data to be exported and processed in countries that can offer the same levels of data protection as the EU, like Iceland, Japan, Uruguay, Canada or New Zealand, but not countries with weak data protection and governmental overreach, like the USA or China.

            The USA tried to cover that with Safe Harbour, but the first Schrems lawsuit showed what a hollow joke that was. The EU/USA then came up with Privacy Shield, but that wasn't taken seriously by the US Government - after 5 years, they had failed appoint the required permanent ombudsman and, in addition to the existing problems with the FISA Act, Patriot Act etc. they made the situation even worse, by passing the CLOUD Act, which essentially outlawed the use of AWS, Azure, Google Cloud Services or any other cloud or data center company with a presence in the USA - essentially any server outside the USA, but owned by a subsidiary of a US company or a US company itself falls under US jurisdiction).

            There are SCCs as well, but they aren't any better than Privacy Shield, in terms of effectiveness - which is why the updated versions were released recently. In essence, to comply with GDPR requirements, the companies providing data storage or processing services (cloud, web platforms etc.) have to guarantee they will break US laws to protect EU data.

            So, those AWS and Azure servers in Europe are taboo as well. I think it says something, when Uruguay and Argentina are more trustworthy destinations than the USA...

          2. codejunky Silver badge

            @aks

            "The second objective of Brussels is for the software (as well as the hardware) to be written in the EU."

            The wall does keep getting higher. We have had a huge leap in progress as the world opened up for trade and cooperation, but politicians cant control that so by tightening their grip they can have more control. The full fat version is the iron curtain and we know how much 'growth' the USSR had.

            Our lives in the west have massively improved as China backed away from its communist/socialist even if they retained their authoritarianism. And they have had a huge leap of progress bringing many out of actual poverty.

    4. Anonymous Coward
      Anonymous Coward

      "appropriate additional measures [...] to ensure [...] equivalent protection"

      That's what Zoom has to do - how depends on what and how actually Zoom collects and store user data. It may decide not to move EU data to US, it may keep on moving data to US ensuring the "equivalent protection" and that could be more than a few changes to T&C.

      1. Doctor Syntax Silver badge

        Re: "appropriate additional measures [...] to ensure [...] equivalent protection"

        it may keep on moving data to US ensuring the "equivalent protection"

        And how does it do that while US law overrides contract provisions? Encrypt it? Only viable if it doesn't have access to the key. Whatever it comes up with is only going to last as long as the next Schrems-style challenge.

        1. Pascal Monett Silver badge
          WTF?

          Equivalent protection ?

          From the NSA ?

          Bollocks.

          1. Nick Ryan

            Because the US has absolutely no worthwhile data protection laws and non-US citizens have the legal standing somewhat below that of a feral dog in the US, passing any personal data whatsoever to be stored in the US is inevitably going to violate any other nation's data protection laws.

    5. Mike 137 Silver badge

      The fundamental problem

      The fundamental problem is that US Privacy Shield was struck down by the EU (and indeed Switzerland) in the aftermath of Schrems II, for the simple reason that it offered no real protection in the face of overriding federal law allowing government agencies access to personal data regardless of the terms of contracts between the parties to data transfers.

      In practice, under current conditions no agreements between parties, whether based on "standard contractual clauses" or not, can alleviate this problem. The only practical remedy other than a major change to US federal law (which is unlikely to happen) is for the US party to the transfer to limit the data it gathers to a minimum such that it no longer constitiutes "personal data", and even then under a strict interpretation of the EU legislation there are challenges - not least that anonymisation is itself "processing".

      1. SImon Hobson Silver badge

        Re: The fundamental problem

        ...it offered no real protection in the face of overriding federal law allowing government agencies access to personal data regardless of the terms of contracts between the parties to data transfers

        Which is the key point.

        We all knew Privacy Figleaf Shield was dead as soon as it was announced. But hey, it bought people another 5 years while Shrems II worked it's way through the system. No doubt TPTB will come up with another grand sounding scheme that everyone can sign up to - and it'll buy another 5 years while Shrems III grinds through the mill and that scheme gets tossed out.

        But ultimately, there is a fundamental incompatibility between EU and US law - unless one or both change their law significantly then there will never be a system which withstands scrutiny. I don't believe the EU will change, let's face it, there's enough member countries that understand (thanks to events within living memory) the importance of privacy. And I can't see the US government upsetting the corporate sponsors that bankroll the elected members' ...

        So I think we can look forward to "son of Privacy Figleaf" followed by Schrems III; then "son of son of Privacy Figleaf" followed by Schrems IIII; then ...

        1. Doctor Syntax Silver badge

          Re: The fundamental problem

          If the EU contrives a way to fast track the legal challenges then the not upsetting the sponsors bit might lead to changes.

        2. A.P. Veening Silver badge

          Re: The fundamental problem

          But ultimately, there is a fundamental incompatibility between EU and US law - unless one or both change their law significantly then there will never be a system which withstands scrutiny. I don't believe the EU will change, let's face it, there's enough member countries that understand (thanks to events within living memory) the importance of privacy. And I can't see the US government upsetting the corporate sponsors that bankroll the elected members' ...

          The US will change its legislation quickly enough when the EU implements some reciprocal legislation on data slurp and governmental access to it despite contracts, American corporations will scream bloody murder as soon as some of their secrets get into EU government hands.

        3. LybsterRoy Silver badge

          Re: The fundamental problem

          I'm not certain there is a difference between law and laws, if not there should be. You seem to be complaining about a specific law instance. If you check you'll probably find that in most countries national law overrides contract law.

    6. moshestrugano

      Yes they are updating both the features to make Zoom more compatible

  2. Joe W Silver badge

    That's the point!

    the report from the Taskforce on Innovation, Growth and Regulatory Reform (TIGRR) moaning about GDPR:

    GDPR states that data should be "collected for specified, explicit and legitimate purposes" and be "adequate, relevant and limited to what is necessary." The report moaned that this limited "AI organisations from collecting new data before they understand its potential value and they also mean that existing data cannot be reused for novel purposes."

    Yes. That is indeed the point. I would use the closing phrase of a certain youtube botany channel, but this would be a bit too blue to leave the comment in place. But I mean it.

  3. vichardy

    Let's just hire every person in Europe to be a bureaucrat

    The European bureaucracy just seems to know no bounds when it comes to regulations. Maybe this is worthwhile, maybe not but its another reason why the business climate across the pond is subdued compared to the US. Way to many regulations and regulators.

    1. Irongut Silver badge

      Re: Let's just hire every person in Europe to be a bureaucrat

      Because we'd all be better off as company slaves working for less than a living wage, with no paid time off, little to no maternity / paternity leave and strapped down by Zuck every night so Palantir can probe us for data. Fuck yeah!

      1. Anonymous Coward
        Anonymous Coward

        Re: Let's just hire every person in Europe to be a bureaucrat

        No, the solution is we all work for Palantir and probe each other

      2. LybsterRoy Silver badge

        Re: Let's just hire every person in Europe to be a bureaucrat

        Yup - I much prefer the method where if you get made redundant you kidnap the boss and hold him to ransom.

      3. codejunky Silver badge

        Re: Let's just hire every person in Europe to be a bureaucrat

        @Irongut

        "Because we'd all be better off as company slaves working for less than a living wage, with no paid time off, little to no maternity / paternity leave"

        EU? Remember before the virus when the US and UK had full employment and booming economies. The EU had high unemployment and was playing serious catch up from the brink of economic disaster. Which is better? Fuck yeah!

    2. Filippo Silver badge

      Re: Let's just hire every person in Europe to be a bureaucrat

      Somehow, I have the feeling that when you write "maybe this is worthwhile", you are not really meaning it.

    3. Anonymous Coward
      Anonymous Coward

      "why the business climate across the pond is subdued"

      Probably there's more manufacturing in EU that in US where everything was sent abroad because it was cheaper to make. Even handling bank transactions. While many EU products are regarded far higher then their US counterparts.

      Sure, looking at the IT sector only the difference is clear. But since the iPhone (built in China..., as well a large part of its inner design, nowadays) that difference has been built mostly on squeezing people to extract as many data as possible to sell ads placements - and little more. Plus all the adverse effects of this "brave new world".

      Capitalism without regulations soon becomes a wild west where any rule is broken to advantage the 800 pound gorillas only. Even in US that is being slowly understood.

      1. Pascal Monett Silver badge

        Very slowly.

    4. gandalfcn Silver badge

      Re: Let's just hire every person in Europe to be a bureaucrat

      Given that the enormous amount of red tape in the USA is arguably the most stifling in the world and that of the EU the least methinks you need a reboot.

      1. LybsterRoy Silver badge

        Re: Let's just hire every person in Europe to be a bureaucrat

        I'm genuinely interested in that statement - do you have any proof?

        1. eldoc

          Re: Let's just hire every person in Europe to be a bureaucrat

          Try even bidding for a piece of government work (at whatever level) in the US if you're not a US company, whereas here in the UK, how many of those contracts are won by non-UK companies?

          1. gandalfcn Silver badge

            Re: Let's just hire every person in Europe to be a bureaucrat

            Then the tax system, arguably the most onerous and complicated in the world, Import and export documentation are a nightmare and as we are now seeing even the ability to cast one's vote is fraught with problems which some states are trying to make even more difficult. So methinks anyone claiming the USA is anything other than a bureaucratic nightmare hasn't much experience overseas.

            1. A.P. Veening Silver badge

              Re: Let's just hire every person in Europe to be a bureaucrat

              Then the tax system, arguably the most onerous and complicated in the world,

              And the USA is one of two countries in world taxing non-resident citizens, the other being Eritrea.

      2. imanidiot Silver badge

        Re: Let's just hire every person in Europe to be a bureaucrat

        The problem in the US is that you don't have to deal with JUST the regulations of the United States of America federal government but also with the (often conflicting or at least very different) state laws and even local municipal laws. And then there's 20001 different agencies on both federal, state and municipal levels who often have their own interpretation on what the laws should be regardless of what the actual laws read.

        1. gandalfcn Silver badge

          Re: Let's just hire every person in Europe to be a bureaucrat

          And the sad thing is they think all that is normal rather than unusual. But then they also use Bbls and funny gallons.

    5. Skippy94

      Re: Let's just hire every person in Europe to be a bureaucrat

      The irony of your comment is that the U.S. doesn't have a federal privacy law. And the GDPR aimed to reduce regulations and regulators.

      So each of the States are slowly passing their own laws, with a myriad of regulators.

      Add to that, the US has industry specific privacy regulators with different rules etc.

      If anything, one of the things GDPR did was aim to standardise things by making it a regulation rather than a directive (didn't work in its entirety, but still better than it was before) and by having things like the one stop shop where the regulators across Europe operate in tandem

      If anything, Brexit just adds another regulator. The more we depart from the GDPR and European case law, the more bureaucrats have to do, and the more lawyers and consultants get paid to explain the differences between those regulations.

      The US actually passing a standardised federal privacy law might be one of the few things which is partisan in the States as they are recognising they can't go on with each state/industry having their own rules.

      Just goes to show that rants like yours, which might resonate with the man in the pub 6 pints in who knows nothing about legal regimes, are actually the complete opposite of what you are making out.

  4. big_D

    Well, duh!

    Article 5 of GDPR, which states among other things that data should be "collected for specified, explicit and legitimate purposes" and be "adequate, relevant and limited to what is necessary." The report moaned that this limited "AI organisations from collecting new data before they understand its potential value and they also mean that existing data cannot be reused for novel purposes."

    Well, that is basically the point of GDPR, no misuse of the data for things it wasn't originally collected for, and once it has served its purpose, it is to be deleted.

    Want to use it for "AI", then spell out exactly what you want and why you want it. And "warehousing the data, because it might become useful someday" is not a valid ground for collecting or storing the data.

    1. Doctor Syntax Silver badge

      Re: Well, duh!

      Want to use it for "AI", then spell out exactly what you want and why you want it.

      And then get specific permission from each data subject based on that spelling out.

      1. Anonymous Coward
        Anonymous Coward

        Re: Well, duh!

        Consent is only one of 6 lawful basis. You don't have to have permission to use data.

        You can cite a legitimate interest if you have a strong enough argument and aren't harming people

  5. b0llchit Silver badge
    Big Brother

    That is why I installed Jitsi Meet on a private server when we started to work from home quite some time ago. However, most organizations hopped onto the empty cloud-promise and subsequently have lost all knowledgable personnel for running a private IT infrastructure. Now they are locked into a system that is, one piece by the other, deemed incompatible with the GDPR.

    Oh my,... I hear the phrase "I told you so" ringing in so many companies from the techies now... It is embarrassing.

    1. Anonymous Coward
      Anonymous Coward

      Probably not - half of those techies will have been made redundant, or left in disgust at the direction the company is heading in.

    2. Roland6 Silver badge

      >That is why I installed Jitsi Meet on a private server when we started to work from home quite some time ago.

      and if your company is typical, some of your users (specifically those that engage with people outside of your company) will also be using Teams, Zoom, Slack...

  6. elsergiovolador Silver badge

    Great Data Purging Revolution

    Most of these services are non compliant. They harvest data without justification. Running targeted ads on the platform is not a valid reason.

    Problem is that nobody dares to prosecute them. Agents prefer to focus on small or medium business, because they have no teeth.

    If they were going to pick on a big platform, chances are they would get a job offer or other indecent proposal to drop it.

    When billions are at stake, there is nothing these companies cannot do to protect their interests.

    Given that GDPR has done nothing for privacy - quite the opposite, I am still of an opinion that this was created to give civil servants an opportunity to get bribes. Corruption is still largely not investigated.

    1. SImon Hobson Silver badge

      Re: Great Data Purging Revolution

      I couldn't decide whether to upvote you for the first bit. or downvote you for the second - so I've done neither.

      I believe that GDPR has done something for privacy, just not as much and as fast as many had hoped. I believe it will come sooner or later.

      The problem which you point out, that none of the big suspects such as FaecesBorg have been fined yet is that technically they haven't broken the law - because they've used mechanisms that have officially been endorsed by the authorities. First it was Safe Harbour until Shrems I killed that, then the hurriedly cobble together Privacy Figleaf until Shrems II killed that. But with the latter, there's still this "grey zone" while TPTB work out what to do. They can't ignore it, but equally there's a lot of pressure to avoid completely killing trans Atlantic trade - which would harm us as much as it would harm the US.

      But in the interim, many services have improved their contractual terms and don't sell you without your permission - though that doesn't get round government snooping. Long term I think we'll see many more setting up the web of separate legal entities and technical barriers such that you'll be able to sign up for a service, and have some confidence in the data staying within the EU.

      At the moment there isn't that confidence (at least amongst those with a memory longer than that of a goldfish), because Microsoft demonstrated the day after the CLOUD act was passed into law that people in the US could access and copy data from a server located in Ireland. Because of the complex way connections (especially for authentication) bounce around the globe, I'm not sure Microsoft can provide that guarantee with their current setup regardless of what they might claim publicly.

      1. elsergiovolador Silver badge

        Re: Great Data Purging Revolution

        GDPR was never created to protect personal data. It was created to protect companies. If you noticed people accept GDPR terms without reading which gives companies who use that data legal protection.

        Then one of requirements was data portability which forced many companies into implementing data export facilities. This means they can more easily pull the data from the system and sell it, even companies who didn't think about that.

        If you want to learn about juicier ways how this legislation is harmful, check this document: GDPArrrrr: Using Privacy Laws to Steal Identities

        This video is also worth watching: Probably an Irreverent Overview of GDPR

        1. doublelayer Silver badge

          Re: Great Data Purging Revolution

          Really? That's crap logic.

          "If you noticed people accept GDPR terms without reading which gives companies who use that data legal protection."

          If you noticed, they did that before. The companies have no more protection now than they used to, and now there are terms which they can't legally put in there.

          "Then one of requirements was data portability which forced many companies into implementing data export facilities. This means they can more easily pull the data from the system and sell it, even companies who didn't think about that."

          Yeah, so? They had the ability to sell the data at any time, but now, it's illegal for them to do it. How did GDPR help here? Just like the last one, this law gave them no new rights and restricted a few they used to have.

          1. elsergiovolador Silver badge

            Re: Great Data Purging Revolution

            If you noticed, they did that before.

            There is a quite a significant difference, that is they are invited with consent popups everywhere, that they click "accept" without reading what they consent for. This is now giving companies legal right to use data however they want (as users agreed, no?) and before GDPR it was not clear if use of data was entirely legal because they usually wouldn't even include a privacy policy on the website and displaying a giant invitation to consent would look suspicious. Now this is on pretty much every website, so now companies are covered and they can prove the data they sell is legit.

            Yeah, so? They had the ability to sell the data at any time, but now, it's illegal for them to do it.

            It was a gray area and today still is (you know users consented for their data to be sold by clicking that popup and before GDPR you couldn't really prove the users you are selling data of had consented). Many companies before that were not interested in selling data, but as a result of the information campaign they see it as an asset. Now that they can obtain consent and conveniently also are compelled by law to develop easy to use export options, they were given all the tools to monetise that personal data.

            I think you are relying much on the claimed intent and missing the big picture of what actually is the purpose of GDPR.

            They used law 3 from 48 Laws of Power

            1. Anonymous Coward
              Anonymous Coward

              Re: Great Data Purging Revolution

              Cookie popups are PECR, not GDPR, and 99% are not compliant anyway.

        2. LybsterRoy Silver badge

          Re: Great Data Purging Revolution

          I wonder how many of the downvoters bothered to follow the link or watch the video? I saw the video was 52 mins so I've bookmarked it for later :(

          1. doublelayer Silver badge

            Re: Great Data Purging Revolution

            I didn't, because the text above the video was so ridiculously false. My reply was based on that. I was planning to eventually watch the video at some later point, but it could be someone else with real information or something equally bad, so it wasn't high on my list of actions. It may describe real downsides of the GDPR, of which there are several, but if the text above is any summary, it isn't.

      2. Anonymous Coward
        Anonymous Coward

        Re: Great Data Purging Revolution

        "At the moment there isn't that confidence (at least amongst those with a memory longer than that of a goldfish), because Microsoft demonstrated the day after the CLOUD act was passed into law that people in the US could access and copy data from a server located in Ireland. Because of the complex way connections (especially for authentication) bounce around the globe, I'm not sure Microsoft can provide that guarantee with their current setup regardless of what they might claim publicly."

        At one stage several years ago Microsoft designed their "Cloud" zone in Germany to avoid the USA CLOUD Act type of concerns. How? They contracted T-Systems (IT services part of Deutsche Telekom) to build and operated the Germany zone for them - the contract in place defined how the Germany zone should be run but importantly Microsoft had zero access to the zone so even if Microsoft were required by US Gov to obtain data from that zone there was no way that they could do so.

        https://azure.microsoft.com/en-gb/blog/microsoft-azure-germany-now-available-via-first-of-its-kind-cloud-for-europe/

        Unfortunately after a couple of years Microsoft decommissioned that zone and replaced it with new facilities in Germany built and operated by themselves - so removing the protections of the previous solution.

        https://docs.microsoft.com/en-us/azure/germany/germany-migration-main

    2. Doctor Syntax Silver badge

      Re: Great Data Purging Revolution

      "Problem is that nobody dares to prosecute them."

      I wouldn't call Max Schrems a nobody. He's succeeded twice. That's why this particular notice has been issued.

      1. elsergiovolador Silver badge

        Re: Great Data Purging Revolution

        He's succeeded twice.

        And what difference did it make apart from wasting time and tax payer money?

        1. gandalfcn Silver badge

          Re: Great Data Purging Revolution

          It pissed you off, so that's a big plus

      2. doublelayer Silver badge

        Re: Great Data Purging Revolution

        He's certainly useful in this, but he doesn't get to fine the large companies who violate GDPR all the time. The organizations which have that power seem to take a very long time to do anything. It's certainly better than before when they had no power, but it could be even better if they started using their authority often.

        1. A.P. Veening Silver badge

          Re: Great Data Purging Revolution

          He's certainly useful in this, but he doesn't get to fine the large companies who violate GDPR all the time. The organizations which have that power seem to take a very long time to do anything. It's certainly better than before when they had no power, but it could be even better if they started using their authority often.

          The organizations are most certainly starting to use those powers seriously, e.g.:

          Euro watchdog will try to extract $900m from Amazon for breaking data privacy laws

    3. LybsterRoy Silver badge

      Re: Great Data Purging Revolution

      Whilst I'm not sure about the bribes bit I am on your side about it having done nothing for privacy. Its a bit like the click to accept cookies idea. Theoretically its great, in reality I'm mega grateful to the person who posted about "I don't care about cookies". Saves me ages and much aggravation.

      1. FeepingCreature

        Re: Great Data Purging Revolution

        Really? I always reject cookies. I'm very happy about the GDPR.

    4. Cynical Pie

      Re: Great Data Purging Revolution

      GDPR is not, and never has been, about privacy.

      Its about ensuring the appropriate and lawful use of personal data.

      Yes that has privacy implications but it isnt the purpose of the legislation

  7. Doctor Syntax Silver badge

    "And that came as a shock to a lot of people, since it rather suggested that the model clauses were not fit for purpose."

    That would be those people who'd been engaging in wishful thinking. Anyone engaging in just straightforward thinking would have seen that any business exposed to US legislation couldn't cover themselves that easily.

  8. 89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921
    Coat

    Dogs say Zoom is Ruff

  9. Falmari Silver badge

    Don't store personal data

    If they do not store personal data they can not fall foul of GDPR.

    What personal data does video conferencing software need to store?

    Not the conference, if a conference member wants to record it it can be stored to the local machine machine.

    Who a users has connected to not needed, just how long a user has been in video conference if billing is based on usage.

    Users contacts that can be stored locally.

    Surely all that is needed is needed to be stored is enough user details for billing and usage details, amount of usage but not who they connected to.

    1. Anonymous Coward
      Anonymous Coward

      Re: Don't store personal data

      "What personal data does video conferencing software need to store?"

      Firstly its about what personal data is "processed", where processing includes, but is not limited to, storing.

      Examples:

      - account information for login authentication

      - billing details (i.e. credit card details, home address, possibly phone number)

      - personal email address (i.e. for conference invites etc)

      - in some cases the actual audio content of conference where audio-to-text-transcoding is offered as (an optional) part of the service

      - TCP/IP address of each partipant (obviously for conference connectivity purposes but also potentially for billing, auditing, security purposes).

      That list is just off the top of my head.

      1. Anonymous Coward
        Anonymous Coward

        Re: Don't store personal data

        Even work email addresses if it contains your name, so not just limited to personal (unless of course you meant an individual rather than group address, in which case as you were)

        1. Falmari Silver badge

          Re: Don't store personal data

          @AC I agree with most of the points in you two posts. But I did not say no details had to be stored hence the last line of my post "Surely all that is needed is needed to be stored is enough user details for billing and usage details, amount of usage but not who they connected to."

          I feel that covered your first two points on account and billing.

          I had not thought of :-

          - personal email address (i.e. for conference invites etc)

          - in some cases the actual audio content of conference where audio-to-text-transcoding is offered as (an optional) part of the service

          excellent points +1.

          But TCP/IP does not have to be stored and if it counts as processing just to making a connection then how can any company outside the EU comply with GDPR if a connection has to made to a server or another user be that video conferencing, messaging or even something like Adobe subscription PhotoShop? Surely in the case of TCP/IP as long as it is not stored it can't break GDPR.

          1. Anonymous Coward
            Anonymous Coward

            Re: Don't store personal data

            "But TCP/IP does not have to be stored and if it counts as processing just to making a connection then how can any company outside the EU comply with GDPR if a connection has to made to a server or another user be that video conferencing, messaging or even something like Adobe subscription PhotoShop?"

            I'm the 1st Anonymous Coward above, the 2nd one wasn't me :-)

            GDPR is *not* about storage, it is about "processing" of personal data, its right there on the 1st page of the GDPR:

            "on the protection of natural persons with regard to the processing of personal data and on the free movement of such data"

            GDPR Article 4(2) defines processing as:

            "‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;"

            So in the case of establishing a TCP/IP connection (e.g. on a webserver) which obviously involves the end-user's IP address could be defined as either "collection", or "consultation", or "use" of that IP address. That such an action (setting up a socket connection) is "processing" doesn't in of itself mean that it would break GDPR - it might or might not depending on other aspects.

            "Surely in the case of TCP/IP as long as it is not stored it can't break GDPR."

            If you were to run a webserver in RAM with logging disabled then that is still potentially "processing of personal data" (i.e. if its a domestic IP address, not a work one) in terms of GDPR. To determine if it is *valid* processing or not you need to look if there is a lawful basis (for example you could decide the lawful basis is "consent" as the end-user decided to go to that website), or if the website is a members-only website (i.e. with login) you could decide the lawful basis is "necessary for the performance of a contract"). There are 6 lawful basis to choose from...

            For example it would be valid to store IP addresses in logfiles for a time period (e.g. 1-3 month) for (network) security purposes so that if you get DDOSed or hacked you have the logs for an investigation. However keeping the logs so that your Marketing Department can check out the IP addresses might be deemed a breach of GDPR.

            The point is Data Protection (not just GDPR) is complicated so you can't really say in a single sentence "doing X is ok but doing Y is a breach of GDPR".

            Oh and don't call me Shirley ;-)

            1. Falmari Silver badge

              Re: Don't store personal data

              @AC Thanks for that informative reply.

              As for calling you Shirley I had to call you something as you are Anonymous. ;)

  10. Anonymous Coward
    Anonymous Coward

    "Zoom has said its products feature "an explicit consent mechanism for EU users" on its platform and that it has implemented "zero-load" cookies for users whose IP address show they are accessing the site from a EU member state."

    Unfortunately not good enough - I've worked at places where traffic from an office in one country may be routed internally between countries and pop out onto the Internet "near" the destination website. Any location indicated in WHOIS records for an IP address block do not necessarily indicate the correct country (especially if its subnetted further "internally") that the end user is in. Indeed whenever a TCP/IP address block is sold it may take some time for its WHOIS records to be updated.

    From a GDPR perspective, if the end-user is physically in the EU then the appropriate cookie laws/rules apply regardless of whether the destination website/server app guessed your country location correctly or incorrectly. So using indicated IP location is a form of "best effort" but, at least in theory (as many EU member agencies are useless at GDPR enforcement), best effort is not good enough.

    1. Ozzard
      Black Helicopters

      Far more entertainingly, Zoom may route call traffic between non-EU nodes

      GDPR says nothing about whether or not personal data is encrypted; merely that personal data is processed.

      Zoom is not a peer-to-peer network; it uses traffic routing nodes worldwide, and explicitly states in its T&Cs that it may use any node or combination of nodes to route traffic.

      Net effect: your video traffic, even if allegedly "end-to-end encrypted" (show me the code, the design, and the architecture), may be processed through one of Zoom's US routing nodes on the way from an EU source to an EU destination. And if video traffic ain't personal data, I don't know what is.

      Then add in users who use VPNs and deliberately appear to be in different countries, and EU offices of US organisations where the Internet traffic from the EU users pops out of a US Internet peer. Zoom has no way of knowing where any given user is physically sited, so its only recourse would be a re-architect of its entire system that routes all video and audio traffic peer-to-peer (and doesn't provide cloud recording or transcription services). Then it would only have the more common kind of user data to worry about... :-)

  11. sketharaman

    Commitment

    "Zoom is committed to complying with ... GDPR."

    I love the way these guys are always committed to complying with the law but never commit that they comply with the law! Reminds me of the time when I was committed to becoming a billionaire and getting married to a Miss India!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like