Previous parts:

• EPO and Microsoft Collude to Break the Law -- Part I (Intro): A Fresh Data Protection Scandal Brewing at the EPO?
• EPO and Microsoft Collude to Break the Law -- Part I (Start of Series): Enter the “Cloud of Unknowing…”
• YOU ARE HERE ☞ Steve Rowan Announces Microsoft “Outlook Migration”

Steve Rowan – passionate about "talking the talk".

Summary: Steve Rowan on the implementation of illegal surveillance by Microsoft and the United States, covering all EPO operations including strictly confidential communications

Steve Rowan moved to the EPO in 2019 (warning: epo.org link). Prior to that he had held the position Director of Patents, Trade Marks, Designs and Tribunals at the UKIPO.

Steve was recruited by Campinos as part of a drive to give the EPO's senior management team a "new look" and as part of a carefully orchestrated attempt to create a "perception of independence" from Team Battistelli which had fallen into public disrepute.

Since then this affable and garrulous Welshman has been busy doing the rounds, "talking the talk" and pressing the flesh in an effort to convince EPO staff that everything has changed for the better.

When listening to him you could be forgiven for coming away with the impression that it's all one big happy family now and that the unpleasantness of the Battistelli era has been consigned once and for all to the dustbin of history – even if Elodie Bergot is still running the show at the HR Department.

Steve has taken to his new role like a duck to water and he seems to enjoy playing the EPO's "Prince of Woke", sponsoring events such as the “Women in the Lead” programme - a mentoring initiative for women at the EPO aspiring to managerial roles - and various other worthy "diversity & inclusion" causes.

More recently, at the start of February, Steve issued a communiqué to EPO staff on the subject of "Outlook Migration to the Cloud". This communiqué is noteworthy because it confirms the EPO's increasing reliance on cloud computing services hosted by Microsoft.

In his communiqué Steve informed EPO staff that "as announced in previous intranet items published in May and December 2020, our Outlook mailboxes are being transferred to the cloud."

But when reading the full text of the communiqué it's impossible not to wonder whether Steve fully understands the P's and Q's of data protection and the potential risks associated with putting all of the EPO's precious data eggs into the Microsoft basket:

"With the help of contract terms, a data protection agreement and technical implementation, the EPO has ensured the best possible protection for the data stored using Microsoft's cloud services. Microsoft guarantees that the data itself is stored on EU servers within the jurisdiction of the European data protection rules (GDPR).

Under the US Foreign Intelligence and Surveillance Act (FISA) and the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act), Microsoft is obliged to grant security and intelligence agencies access to data stored in its cloud, even when stored on EU servers.

However, the protection level offered by Microsoft is still sufficiently high for DG 1 processes in place for confidential data exchange not to need encryption.

By contrast, to comply with the highest standards, which of course include the requirements imposed under the GDPR, encryption is needed for strictly confidential data.

The guidance on the use of cloud tools therefore states that it is only strictly confidential data that must not be stored in plain form in the cloud, whereas merely confidential information can be stored there without limitations."

Is EPO Vice-President Steve Rowan living in a data protection "cloud-cuckoo land"?

Steve's blind faith in Microsoft and its assurances is very touching but one wonders whether he realises the full ramifications of handing over the EPO's internal e-mail and video-conference communications to a US-based electronic communications services provider.

Quite bizarrely, he doesn't seem to bat an eyelid over the fact that "Microsoft is obliged to grant security and intelligence agencies access to data stored in its cloud, even when stored on EU servers".

Despite the gushing optimism of the EPO Vice-President, there remains a nagging suspicion in some quarters that the EPO's increasing reliance on Microsoft - in particular its cloud computing services - is a legitimate source of public concern.

Before looking into this in more detail we will make a detour into the subject of mass surveillance and "digital sovereignty".

This planned intermezzo is intended to assist the reader in making a fully informed judgment as to whether everything is really as fine and dandy as Steve would have us believe or whether - as some suspect - he is living in a data protection "cloud-cuckoo land"… ⬆