I'm confused; is Zoom supposed to change the way their software works, or change their T&Cs to make them compatible with the GDPR?
Zoom incompatible with GDPR, claims data protection watchdog for the German city of Hamburg
The acting Hamburg Commissioner for Data Protection and Freedom of Information has officially warned the city's Senate Chancellery not to use the on-demand version of Zoom's videoconferencing software. Referring to the European Court of Justice Schrems II decision of July 2020, Ulrich Kühn claimed the software violates the EU …
COMMENTS
-
-
Tuesday 17th August 2021 14:13 GMT Joe W
I guess it's more of a note to the Chancellary of the Senate of the Free Hanseatic Town of Hamburg to stop using the on-demand service of Zoom. Pronto.
Should zoom change the way their on-demand service works or how the T&Cs are worded, zoom could again be used. Although I really do wonder why they should use it anyway, as several states are indeed self hosting own platforms (don't know if Zoom is among them, I believe Skype and WebEx are... another good candiate - if there is an on-prem version - would be Microsoft Teams), but I'm really not sure if Hamburg does have its own servers for web conferences / meetings / video calls.
So, yeah, this is how it is supposed to work: a service cannot be offered in the EU (and very definitely should not be used by the government!) if it does not comply with GDPR.
-
-
Tuesday 17th August 2021 14:40 GMT Joe W
Exactly. Though I am sure that for use by government bodies the rules are quite a bit stricter than just "GDPR-compliant", or at least they should be.
So why they do seem to insist on using Zoom is unclear to me (ok, it's not, it will be "but my son uses it in school, so I am familiar with it" - or something along these lines).
-
-
Wednesday 18th August 2021 14:04 GMT Anonymous Coward
Zoom & Teams suck
Zoom sucks at least on a still very powerful Galaxy S10. That gets rather warm and drains about 50% of battery in 90 minutes. Guess their devs haven't heard about hardware acceleration.
As for Teams, measured by supposedly being professional, it suuuuucks! ▼ no search worthy of that name ▼ lagging status display (my colleagues asked me how I could be shown offline while in a Teams meeting!) ▼ not a Windows app (freezes when waking up on a different size monitor) ▼ lousy Outlook integration (when opening a meeting from notifier, that stays open behind Teams, and doesn't popup again until dug up and explicitly closed)
-
Tuesday 17th August 2021 17:28 GMT martinusher
>So why they do seem to insist on using Zoom is unclear to me
Having tried some of the alternatives I guess its because "it just works" -- unlike those alternatives.
I'm not a videoconference enthusiast. I just resent spending hours messing with my system because its not got the right browser, the right version of Windows or whatever. Zoom works on anything (including my usual Waterfox/Linux setup).
-
Tuesday 17th August 2021 22:07 GMT Scene it all
Jitsi looks pretty identical to Skype on the screen. And its free. Anyone familiar with setting up a Linux web service can install it. If you use a flexible cloud-like infrastructure (even in-house) you can size the resources to the size of a meeting. And the custom backgound feature in the latest version is pretty cool.
-
-
-
-
-
Wednesday 18th August 2021 11:04 GMT aks
As far as I can read, the EU want all servers to be within the EU and no data to flow outside of it and its rules. Plenty of AWS/Azure/etc servers within the EU.
The second objective of Brussels is for the software (as well as the hardware) to be written in the EU.
It all reminds me of Apple's walled garden.
-
Wednesday 18th August 2021 12:45 GMT big_D
No, they are perfectly happy for the data to be exported and processed in countries that can offer the same levels of data protection as the EU, like Iceland, Japan, Uruguay, Canada or New Zealand, but not countries with weak data protection and governmental overreach, like the USA or China.
The USA tried to cover that with Safe Harbour, but the first Schrems lawsuit showed what a hollow joke that was. The EU/USA then came up with Privacy Shield, but that wasn't taken seriously by the US Government - after 5 years, they had failed appoint the required permanent ombudsman and, in addition to the existing problems with the FISA Act, Patriot Act etc. they made the situation even worse, by passing the CLOUD Act, which essentially outlawed the use of AWS, Azure, Google Cloud Services or any other cloud or data center company with a presence in the USA - essentially any server outside the USA, but owned by a subsidiary of a US company or a US company itself falls under US jurisdiction).
There are SCCs as well, but they aren't any better than Privacy Shield, in terms of effectiveness - which is why the updated versions were released recently. In essence, to comply with GDPR requirements, the companies providing data storage or processing services (cloud, web platforms etc.) have to guarantee they will break US laws to protect EU data.
So, those AWS and Azure servers in Europe are taboo as well. I think it says something, when Uruguay and Argentina are more trustworthy destinations than the USA...
-
Thursday 19th August 2021 08:30 GMT codejunky
@aks
"The second objective of Brussels is for the software (as well as the hardware) to be written in the EU."
The wall does keep getting higher. We have had a huge leap in progress as the world opened up for trade and cooperation, but politicians cant control that so by tightening their grip they can have more control. The full fat version is the iron curtain and we know how much 'growth' the USSR had.
Our lives in the west have massively improved as China backed away from its communist/socialist even if they retained their authoritarianism. And they have had a huge leap of progress bringing many out of actual poverty.
-
-
-
Tuesday 17th August 2021 15:14 GMT Anonymous Coward
"appropriate additional measures [...] to ensure [...] equivalent protection"
That's what Zoom has to do - how depends on what and how actually Zoom collects and store user data. It may decide not to move EU data to US, it may keep on moving data to US ensuring the "equivalent protection" and that could be more than a few changes to T&C.
-
Tuesday 17th August 2021 17:06 GMT Doctor Syntax
Re: "appropriate additional measures [...] to ensure [...] equivalent protection"
it may keep on moving data to US ensuring the "equivalent protection"
And how does it do that while US law overrides contract provisions? Encrypt it? Only viable if it doesn't have access to the key. Whatever it comes up with is only going to last as long as the next Schrems-style challenge.
-
-
Tuesday 17th August 2021 15:18 GMT Mike 137
The fundamental problem
The fundamental problem is that US Privacy Shield was struck down by the EU (and indeed Switzerland) in the aftermath of Schrems II, for the simple reason that it offered no real protection in the face of overriding federal law allowing government agencies access to personal data regardless of the terms of contracts between the parties to data transfers.
In practice, under current conditions no agreements between parties, whether based on "standard contractual clauses" or not, can alleviate this problem. The only practical remedy other than a major change to US federal law (which is unlikely to happen) is for the US party to the transfer to limit the data it gathers to a minimum such that it no longer constitiutes "personal data", and even then under a strict interpretation of the EU legislation there are challenges - not least that anonymisation is itself "processing".
-
Tuesday 17th August 2021 15:51 GMT SImon Hobson
Re: The fundamental problem
...it offered no real protection in the face of overriding federal law allowing government agencies access to personal data regardless of the terms of contracts between the parties to data transfers
Which is the key point.
We all knew Privacy
FigleafShield was dead as soon as it was announced. But hey, it bought people another 5 years while Shrems II worked it's way through the system. No doubt TPTB will come up with another grand sounding scheme that everyone can sign up to - and it'll buy another 5 years while Shrems III grinds through the mill and that scheme gets tossed out.But ultimately, there is a fundamental incompatibility between EU and US law - unless one or both change their law significantly then there will never be a system which withstands scrutiny. I don't believe the EU will change, let's face it, there's enough member countries that understand (thanks to events within living memory) the importance of privacy. And I can't see the US government upsetting the corporate sponsors that bankroll the elected members' ...
So I think we can look forward to "son of Privacy Figleaf" followed by Schrems III; then "son of son of Privacy Figleaf" followed by Schrems IIII; then ...
-
Tuesday 17th August 2021 20:09 GMT A.P. Veening
Re: The fundamental problem
But ultimately, there is a fundamental incompatibility between EU and US law - unless one or both change their law significantly then there will never be a system which withstands scrutiny. I don't believe the EU will change, let's face it, there's enough member countries that understand (thanks to events within living memory) the importance of privacy. And I can't see the US government upsetting the corporate sponsors that bankroll the elected members' ...
The US will change its legislation quickly enough when the EU implements some reciprocal legislation on data slurp and governmental access to it despite contracts, American corporations will scream bloody murder as soon as some of their secrets get into EU government hands.
-
-
Tuesday 17th August 2021 14:17 GMT Joe W
That's the point!
the report from the Taskforce on Innovation, Growth and Regulatory Reform (TIGRR) moaning about GDPR:
GDPR states that data should be "collected for specified, explicit and legitimate purposes" and be "adequate, relevant and limited to what is necessary." The report moaned that this limited "AI organisations from collecting new data before they understand its potential value and they also mean that existing data cannot be reused for novel purposes."
Yes. That is indeed the point. I would use the closing phrase of a certain youtube botany channel, but this would be a bit too blue to leave the comment in place. But I mean it.
-
Tuesday 17th August 2021 14:17 GMT vichardy
Let's just hire every person in Europe to be a bureaucrat
The European bureaucracy just seems to know no bounds when it comes to regulations. Maybe this is worthwhile, maybe not but its another reason why the business climate across the pond is subdued compared to the US. Way to many regulations and regulators.
-
Tuesday 17th August 2021 14:23 GMT Irongut
Re: Let's just hire every person in Europe to be a bureaucrat
Because we'd all be better off as company slaves working for less than a living wage, with no paid time off, little to no maternity / paternity leave and strapped down by Zuck every night so Palantir can probe us for data. Fuck yeah!
-
Thursday 19th August 2021 08:36 GMT codejunky
Re: Let's just hire every person in Europe to be a bureaucrat
@Irongut
"Because we'd all be better off as company slaves working for less than a living wage, with no paid time off, little to no maternity / paternity leave"
EU? Remember before the virus when the US and UK had full employment and booming economies. The EU had high unemployment and was playing serious catch up from the brink of economic disaster. Which is better? Fuck yeah!
-
Tuesday 17th August 2021 15:30 GMT Anonymous Coward
"why the business climate across the pond is subdued"
Probably there's more manufacturing in EU that in US where everything was sent abroad because it was cheaper to make. Even handling bank transactions. While many EU products are regarded far higher then their US counterparts.
Sure, looking at the IT sector only the difference is clear. But since the iPhone (built in China..., as well a large part of its inner design, nowadays) that difference has been built mostly on squeezing people to extract as many data as possible to sell ads placements - and little more. Plus all the adverse effects of this "brave new world".
Capitalism without regulations soon becomes a wild west where any rule is broken to advantage the 800 pound gorillas only. Even in US that is being slowly understood.
-
-
-
-
Wednesday 18th August 2021 11:50 GMT gandalfcn
Re: Let's just hire every person in Europe to be a bureaucrat
Then the tax system, arguably the most onerous and complicated in the world, Import and export documentation are a nightmare and as we are now seeing even the ability to cast one's vote is fraught with problems which some states are trying to make even more difficult. So methinks anyone claiming the USA is anything other than a bureaucratic nightmare hasn't much experience overseas.
-
-
-
Wednesday 18th August 2021 07:59 GMT imanidiot
Re: Let's just hire every person in Europe to be a bureaucrat
The problem in the US is that you don't have to deal with JUST the regulations of the United States of America federal government but also with the (often conflicting or at least very different) state laws and even local municipal laws. And then there's 20001 different agencies on both federal, state and municipal levels who often have their own interpretation on what the laws should be regardless of what the actual laws read.
-
-
Friday 20th August 2021 16:16 GMT Skippy94
Re: Let's just hire every person in Europe to be a bureaucrat
The irony of your comment is that the U.S. doesn't have a federal privacy law. And the GDPR aimed to reduce regulations and regulators.
So each of the States are slowly passing their own laws, with a myriad of regulators.
Add to that, the US has industry specific privacy regulators with different rules etc.
If anything, one of the things GDPR did was aim to standardise things by making it a regulation rather than a directive (didn't work in its entirety, but still better than it was before) and by having things like the one stop shop where the regulators across Europe operate in tandem
If anything, Brexit just adds another regulator. The more we depart from the GDPR and European case law, the more bureaucrats have to do, and the more lawyers and consultants get paid to explain the differences between those regulations.
The US actually passing a standardised federal privacy law might be one of the few things which is partisan in the States as they are recognising they can't go on with each state/industry having their own rules.
Just goes to show that rants like yours, which might resonate with the man in the pub 6 pints in who knows nothing about legal regimes, are actually the complete opposite of what you are making out.
-
-
Tuesday 17th August 2021 14:22 GMT big_D
Well, duh!
Article 5 of GDPR, which states among other things that data should be "collected for specified, explicit and legitimate purposes" and be "adequate, relevant and limited to what is necessary." The report moaned that this limited "AI organisations from collecting new data before they understand its potential value and they also mean that existing data cannot be reused for novel purposes."
Well, that is basically the point of GDPR, no misuse of the data for things it wasn't originally collected for, and once it has served its purpose, it is to be deleted.
Want to use it for "AI", then spell out exactly what you want and why you want it. And "warehousing the data, because it might become useful someday" is not a valid ground for collecting or storing the data.
-
Tuesday 17th August 2021 14:51 GMT b0llchit
That is why I installed Jitsi Meet on a private server when we started to work from home quite some time ago. However, most organizations hopped onto the empty cloud-promise and subsequently have lost all knowledgable personnel for running a private IT infrastructure. Now they are locked into a system that is, one piece by the other, deemed incompatible with the GDPR.
Oh my,... I hear the phrase "I told you so" ringing in so many companies from the techies now... It is embarrassing.
-
Tuesday 17th August 2021 15:39 GMT elsergiovolador
Great Data Purging Revolution
Most of these services are non compliant. They harvest data without justification. Running targeted ads on the platform is not a valid reason.
Problem is that nobody dares to prosecute them. Agents prefer to focus on small or medium business, because they have no teeth.
If they were going to pick on a big platform, chances are they would get a job offer or other indecent proposal to drop it.
When billions are at stake, there is nothing these companies cannot do to protect their interests.
Given that GDPR has done nothing for privacy - quite the opposite, I am still of an opinion that this was created to give civil servants an opportunity to get bribes. Corruption is still largely not investigated.
-
Tuesday 17th August 2021 16:04 GMT SImon Hobson
Re: Great Data Purging Revolution
I couldn't decide whether to upvote you for the first bit. or downvote you for the second - so I've done neither.
I believe that GDPR has done something for privacy, just not as much and as fast as many had hoped. I believe it will come sooner or later.
The problem which you point out, that none of the big suspects such as FaecesBorg have been fined yet is that technically they haven't broken the law - because they've used mechanisms that have officially been endorsed by the authorities. First it was Safe Harbour until Shrems I killed that, then the hurriedly cobble together Privacy Figleaf until Shrems II killed that. But with the latter, there's still this "grey zone" while TPTB work out what to do. They can't ignore it, but equally there's a lot of pressure to avoid completely killing trans Atlantic trade - which would harm us as much as it would harm the US.
But in the interim, many services have improved their contractual terms and don't sell you without your permission - though that doesn't get round government snooping. Long term I think we'll see many more setting up the web of separate legal entities and technical barriers such that you'll be able to sign up for a service, and have some confidence in the data staying within the EU.
At the moment there isn't that confidence (at least amongst those with a memory longer than that of a goldfish), because Microsoft demonstrated the day after the CLOUD act was passed into law that people in the US could access and copy data from a server located in Ireland. Because of the complex way connections (especially for authentication) bounce around the globe, I'm not sure Microsoft can provide that guarantee with their current setup regardless of what they might claim publicly.
-
Tuesday 17th August 2021 16:38 GMT elsergiovolador
Re: Great Data Purging Revolution
GDPR was never created to protect personal data. It was created to protect companies. If you noticed people accept GDPR terms without reading which gives companies who use that data legal protection.
Then one of requirements was data portability which forced many companies into implementing data export facilities. This means they can more easily pull the data from the system and sell it, even companies who didn't think about that.
If you want to learn about juicier ways how this legislation is harmful, check this document: GDPArrrrr: Using Privacy Laws to Steal Identities
This video is also worth watching: Probably an Irreverent Overview of GDPR
-
Tuesday 17th August 2021 19:29 GMT doublelayer
Re: Great Data Purging Revolution
Really? That's crap logic.
"If you noticed people accept GDPR terms without reading which gives companies who use that data legal protection."
If you noticed, they did that before. The companies have no more protection now than they used to, and now there are terms which they can't legally put in there.
"Then one of requirements was data portability which forced many companies into implementing data export facilities. This means they can more easily pull the data from the system and sell it, even companies who didn't think about that."
Yeah, so? They had the ability to sell the data at any time, but now, it's illegal for them to do it. How did GDPR help here? Just like the last one, this law gave them no new rights and restricted a few they used to have.
-
Wednesday 18th August 2021 00:39 GMT elsergiovolador
Re: Great Data Purging Revolution
If you noticed, they did that before.
There is a quite a significant difference, that is they are invited with consent popups everywhere, that they click "accept" without reading what they consent for. This is now giving companies legal right to use data however they want (as users agreed, no?) and before GDPR it was not clear if use of data was entirely legal because they usually wouldn't even include a privacy policy on the website and displaying a giant invitation to consent would look suspicious. Now this is on pretty much every website, so now companies are covered and they can prove the data they sell is legit.
Yeah, so? They had the ability to sell the data at any time, but now, it's illegal for them to do it.
It was a gray area and today still is (you know users consented for their data to be sold by clicking that popup and before GDPR you couldn't really prove the users you are selling data of had consented). Many companies before that were not interested in selling data, but as a result of the information campaign they see it as an asset. Now that they can obtain consent and conveniently also are compelled by law to develop easy to use export options, they were given all the tools to monetise that personal data.
I think you are relying much on the claimed intent and missing the big picture of what actually is the purpose of GDPR.
They used law 3 from 48 Laws of Power
-
-
-
Wednesday 18th August 2021 16:28 GMT doublelayer
Re: Great Data Purging Revolution
I didn't, because the text above the video was so ridiculously false. My reply was based on that. I was planning to eventually watch the video at some later point, but it could be someone else with real information or something equally bad, so it wasn't high on my list of actions. It may describe real downsides of the GDPR, of which there are several, but if the text above is any summary, it isn't.
-
-
-
Wednesday 18th August 2021 00:59 GMT Anonymous Coward
Re: Great Data Purging Revolution
"At the moment there isn't that confidence (at least amongst those with a memory longer than that of a goldfish), because Microsoft demonstrated the day after the CLOUD act was passed into law that people in the US could access and copy data from a server located in Ireland. Because of the complex way connections (especially for authentication) bounce around the globe, I'm not sure Microsoft can provide that guarantee with their current setup regardless of what they might claim publicly."
At one stage several years ago Microsoft designed their "Cloud" zone in Germany to avoid the USA CLOUD Act type of concerns. How? They contracted T-Systems (IT services part of Deutsche Telekom) to build and operated the Germany zone for them - the contract in place defined how the Germany zone should be run but importantly Microsoft had zero access to the zone so even if Microsoft were required by US Gov to obtain data from that zone there was no way that they could do so.
https://azure.microsoft.com/en-gb/blog/microsoft-azure-germany-now-available-via-first-of-its-kind-cloud-for-europe/
Unfortunately after a couple of years Microsoft decommissioned that zone and replaced it with new facilities in Germany built and operated by themselves - so removing the protections of the previous solution.
https://docs.microsoft.com/en-us/azure/germany/germany-migration-main
-
-
-
Tuesday 17th August 2021 19:31 GMT doublelayer
Re: Great Data Purging Revolution
He's certainly useful in this, but he doesn't get to fine the large companies who violate GDPR all the time. The organizations which have that power seem to take a very long time to do anything. It's certainly better than before when they had no power, but it could be even better if they started using their authority often.
-
Tuesday 17th August 2021 20:10 GMT A.P. Veening
Re: Great Data Purging Revolution
He's certainly useful in this, but he doesn't get to fine the large companies who violate GDPR all the time. The organizations which have that power seem to take a very long time to do anything. It's certainly better than before when they had no power, but it could be even better if they started using their authority often.
The organizations are most certainly starting to use those powers seriously, e.g.:
Euro watchdog will try to extract $900m from Amazon for breaking data privacy laws
-
-
Wednesday 18th August 2021 06:56 GMT LybsterRoy
Re: Great Data Purging Revolution
Whilst I'm not sure about the bribes bit I am on your side about it having done nothing for privacy. Its a bit like the click to accept cookies idea. Theoretically its great, in reality I'm mega grateful to the person who posted about "I don't care about cookies". Saves me ages and much aggravation.
-
-
Tuesday 17th August 2021 17:06 GMT Doctor Syntax
"And that came as a shock to a lot of people, since it rather suggested that the model clauses were not fit for purpose."
That would be those people who'd been engaging in wishful thinking. Anyone engaging in just straightforward thinking would have seen that any business exposed to US legislation couldn't cover themselves that easily.
-
Tuesday 17th August 2021 20:05 GMT Falmari
Don't store personal data
If they do not store personal data they can not fall foul of GDPR.
What personal data does video conferencing software need to store?
Not the conference, if a conference member wants to record it it can be stored to the local machine machine.
Who a users has connected to not needed, just how long a user has been in video conference if billing is based on usage.
Users contacts that can be stored locally.
Surely all that is needed is needed to be stored is enough user details for billing and usage details, amount of usage but not who they connected to.
-
Wednesday 18th August 2021 00:50 GMT Anonymous Coward
Re: Don't store personal data
"What personal data does video conferencing software need to store?"
Firstly its about what personal data is "processed", where processing includes, but is not limited to, storing.
Examples:
- account information for login authentication
- billing details (i.e. credit card details, home address, possibly phone number)
- personal email address (i.e. for conference invites etc)
- in some cases the actual audio content of conference where audio-to-text-transcoding is offered as (an optional) part of the service
- TCP/IP address of each partipant (obviously for conference connectivity purposes but also potentially for billing, auditing, security purposes).
That list is just off the top of my head.
-
-
Wednesday 18th August 2021 17:22 GMT Falmari
Re: Don't store personal data
@AC I agree with most of the points in you two posts. But I did not say no details had to be stored hence the last line of my post "Surely all that is needed is needed to be stored is enough user details for billing and usage details, amount of usage but not who they connected to."
I feel that covered your first two points on account and billing.
I had not thought of :-
- personal email address (i.e. for conference invites etc)
- in some cases the actual audio content of conference where audio-to-text-transcoding is offered as (an optional) part of the service
excellent points +1.
But TCP/IP does not have to be stored and if it counts as processing just to making a connection then how can any company outside the EU comply with GDPR if a connection has to made to a server or another user be that video conferencing, messaging or even something like Adobe subscription PhotoShop? Surely in the case of TCP/IP as long as it is not stored it can't break GDPR.
-
Thursday 19th August 2021 01:20 GMT Anonymous Coward
Re: Don't store personal data
"But TCP/IP does not have to be stored and if it counts as processing just to making a connection then how can any company outside the EU comply with GDPR if a connection has to made to a server or another user be that video conferencing, messaging or even something like Adobe subscription PhotoShop?"
I'm the 1st Anonymous Coward above, the 2nd one wasn't me :-)
GDPR is *not* about storage, it is about "processing" of personal data, its right there on the 1st page of the GDPR:
"on the protection of natural persons with regard to the processing of personal data and on the free movement of such data"
GDPR Article 4(2) defines processing as:
"‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;"
So in the case of establishing a TCP/IP connection (e.g. on a webserver) which obviously involves the end-user's IP address could be defined as either "collection", or "consultation", or "use" of that IP address. That such an action (setting up a socket connection) is "processing" doesn't in of itself mean that it would break GDPR - it might or might not depending on other aspects.
"Surely in the case of TCP/IP as long as it is not stored it can't break GDPR."
If you were to run a webserver in RAM with logging disabled then that is still potentially "processing of personal data" (i.e. if its a domestic IP address, not a work one) in terms of GDPR. To determine if it is *valid* processing or not you need to look if there is a lawful basis (for example you could decide the lawful basis is "consent" as the end-user decided to go to that website), or if the website is a members-only website (i.e. with login) you could decide the lawful basis is "necessary for the performance of a contract"). There are 6 lawful basis to choose from...
For example it would be valid to store IP addresses in logfiles for a time period (e.g. 1-3 month) for (network) security purposes so that if you get DDOSed or hacked you have the logs for an investigation. However keeping the logs so that your Marketing Department can check out the IP addresses might be deemed a breach of GDPR.
The point is Data Protection (not just GDPR) is complicated so you can't really say in a single sentence "doing X is ok but doing Y is a breach of GDPR".
Oh and don't call me Shirley ;-)
-
-
-
-
-
Wednesday 18th August 2021 01:12 GMT Anonymous Coward
"Zoom has said its products feature "an explicit consent mechanism for EU users" on its platform and that it has implemented "zero-load" cookies for users whose IP address show they are accessing the site from a EU member state."
Unfortunately not good enough - I've worked at places where traffic from an office in one country may be routed internally between countries and pop out onto the Internet "near" the destination website. Any location indicated in WHOIS records for an IP address block do not necessarily indicate the correct country (especially if its subnetted further "internally") that the end user is in. Indeed whenever a TCP/IP address block is sold it may take some time for its WHOIS records to be updated.
From a GDPR perspective, if the end-user is physically in the EU then the appropriate cookie laws/rules apply regardless of whether the destination website/server app guessed your country location correctly or incorrectly. So using indicated IP location is a form of "best effort" but, at least in theory (as many EU member agencies are useless at GDPR enforcement), best effort is not good enough.
-
Wednesday 18th August 2021 11:37 GMT Ozzard
Far more entertainingly, Zoom may route call traffic between non-EU nodes
GDPR says nothing about whether or not personal data is encrypted; merely that personal data is processed.
Zoom is not a peer-to-peer network; it uses traffic routing nodes worldwide, and explicitly states in its T&Cs that it may use any node or combination of nodes to route traffic.
Net effect: your video traffic, even if allegedly "end-to-end encrypted" (show me the code, the design, and the architecture), may be processed through one of Zoom's US routing nodes on the way from an EU source to an EU destination. And if video traffic ain't personal data, I don't know what is.
Then add in users who use VPNs and deliberately appear to be in different countries, and EU offices of US organisations where the Internet traffic from the EU users pops out of a US Internet peer. Zoom has no way of knowing where any given user is physically sited, so its only recourse would be a re-architect of its entire system that routes all video and audio traffic peer-to-peer (and doesn't provide cloud recording or transcription services). Then it would only have the more common kind of user data to worry about... :-)
-