The Hessen data protection authority ('HBDI') announced, on 17 June 2022, that the app, Zoom, can now be used at Hessian universities for conducting their courses along with the prerequisite that such universities should ensure US authorities cannot access content and metadata through the video conferencing app. In particular, the HBDI stated that it had called for a ban on the use of systems such as Zoom in July 2021, requesting Hessian universities to design frameworks for the use of US video conferencing systems in line with data protection requirements, or to switch to systems that comply with the same. In this regard, the HBDI specified that such a ban was enforced in light of the Court of Justice of the European Union's ('CJEU') decision in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II'), with regards to which, the HBDI noted that US service providers, such as Zoom, could not guarantee that personal data would not be accessed by US authorities. Furthermore, the HBDI noted that, with its support, a Hessian university has developed a 'Hessian model' to use Zoom video conference systems that can be configured in a manner that does not violate the data protection requirements of the CJEU. More specifically, the HBDI stated that the Hessian model ensures that universities:

• use an EU-based processor, independent of Zoom, to operate the video conferencing system on servers based in the EU;
• provide end-to-end encryption to all content data;
• prevent the flow of personal data of students to the US, and access to it by US bodies;
• restrict use of Zoom to courses and provide an alternative privacy-compliant video conferencing system for other purposes; and
• inform teachers and students in detail about further supporting measures to protect informational self-determination.

You can read the press release, only available in German, here.