Berlin shows the video conference service Cisco Webex Meetings the red light, but the consequences are disputed. The traffic light system was developed by the data protection officer of the State of Berlin during the corona crisis, as online communication has become enormously important because of working from home.
It evaluates conference system providers. Webex is one of the services for which the signal is red, which means that there are deficiencies “that exclude legally compliant use of the service”.
Webex is still used at Freie Universität Berlin – for online lectures, committee meetings, study groups and much more. The Asta has long been calling for a transition to a data protection-compliant solution. Reference is made, for example, to the Humboldt University and some FU departments in which the open source application BigBlueButton is used.
In January 2021, the student representatives asked the data protection officer to check the use of Webex at the FU.
Authority: Cisco illegally transfers personal data to the United States
The result, which was also communicated to the university management in November and which has now been made public by the FU-Asta, is clear: the cloud solution used cannot be used “in accordance with data protection regulations”. A spokesman for the authorities explained to the Tagesspiegel that Cisco is illegally transferring personal data to the USA – where, according to the ECJ, there is no adequate level of protection.
[Videokonferenz statt wissenschaftlicher Tagung in Präsenz: “Routinen der Kommunikation funktionieren nicht mehr”]
In addition, the cooperation between FU and Cisco is based on a legally non-compliant “order processing contract”, as this does not exclude unlawful further use of the data.
The FU is now called upon to present a schedule of measures that “decisively reduce the violation of the fundamental rights of the persons concerned”. It depends on whether and for how long the use of Webex can be tolerated. The authority had proposed changes and offered discussions, but also had the option of prohibiting the FU from continuing to use the tool.
[Wenn Sie aktuelle Nachrichten aus Berlin, Deutschland und der Welt live auf Ihr Handy haben wollen, empfehlen wir Ihnen unsere App, die Sie hier für Apple- und Android-Geräte herunterladen können]
Meanwhile, it is said from the university that at the moment “it cannot be said that the mission is not in accordance with the law”, since a final result of the data protection check is not available. A careful examination of the FU data protection officer had shown “a still justifiable commitment”. A market test also showed “that there are no exclusively European alternative providers” for the required scale. In addition, there are “ongoing adjustments to the technical and organizational measures to protect personal data” when using Webex.
Asta spokesman Janik Besendorf considers it “unlikely” that Webex can be used in compliance with GDPR. He explains that the FU is not tackling its data protection problems resolutely with “overloading the IT department due to savings” and a “mindset that prefers commercial providers and gives data protection little priority”.
The student representatives have now requested inspection of the files. The initiation of legal steps, including claims for damages, is also being considered.
