Bonum Certa Men Certa

EPO and Microsoft Collude to Break the Law -- Part X: The Spectre of GDPR…

Previous parts:



GDPR and Microsoft
More about Microsoft's run-ins with European data protection authorities



Summary: António Campinos and his friends may have put the EPO in legal "hot water", having already outsourced EPO data to a serial GDPR violator with a notorious track record in other aspects, too

In April 2019 it was reported that "the Spectre of GDPR" continued to haunt the hallowed halls of Redmond, this time in the shape of an investigation ordered by the EU Data Protection Supervisor (EDPS) into Microsoft products used by EU institutions.



The move by the EDPS was prompted by the outcome of the Data Protection Impact Assessment which had been commissioned by the Dutch Ministry of Justice and Security in 2018.

"The move by the EDPS was prompted by the outcome of the Data Protection Impact Assessment which had been commissioned by the Dutch Ministry of Justice and Security in 2018."The EDPS noted that any EU institutions using the applications investigated by the Dutch authorities would face similar issues including "increased risks to the rights and freedoms of individuals".

The report of the EDPS on the "Outcome of own-initiative investigation into EU institutions’ use of Microsoft products and services" was published on 2 July 2020.

The EDPS identified a number of serious issues calling for further action, including the following:

● The licensing agreement between Microsoft and the EU institutions was formulated in loose manner that effectively permitted Microsoft to act as a data controller which the EDPS found inappropriate.

● The lack of control by EU institutions over which sub-processors Microsoft used and the lack of meaningful audit rights presented significant issues which needed to be addressed.

● EU institutions were unable to control the location of a large portion of the data processed by Microsoft. Nor did they properly control what was transferred out of the EU/EEA and how. There was also a lack of proper safeguards to protect data that left the EU/EEA.

● EU institutions had few guarantees at their disposal to defend their privileges and immunities and to ensure that Microsoft would only disclose personal data insofar as permitted by EU law.

According to the EDPS, the EU institutions lacked sufficient clarity as to the nature, scope and purposes of the data processing carried out by Microsoft and the risks to data subjects for the purpose of complying with their transparency obligations towards data subjects.

The EDPS recommended that all EU institutions perform tests using a revised and comprehensive approach in order to monitor and stem the flow of personal data generated by Microsoft products and services and sent to Microsoft.

"The EDPS recommended that all EU institutions perform tests using a revised and comprehensive approach in order to monitor and stem the flow of personal data generated by Microsoft products and services and sent to Microsoft."It remains to be seen whether or not the EDPS' beef with Microsoft will be resolved in an amicable manner or whether it will result in the imposition of GDPR fines which, in serious cases, can be as much as 4% of a company's worldwide annual revenue.

Microsoft has also had its fair share of grief with the data protection authorities in the EPO's main host country, Germany.

Back in July 2019 it was reported that the data protection authority in the state of Hesse had issued a ruling that Microsoft’s Office 365 could no longer be used by schools following the closure of a German data centre which had been used by Microsoft to provide cloud services.

This ruling came after several years of domestic debate about whether German schools and other state institutions should be using Microsoft software at all.

To allay German privacy concerns, Microsoft had invested millions in a German cloud service, and in 2017 Hesse authorities agreed that local schools could use Office 365 as long as German data remained in the country. But in August 2018 Microsoft decided to shut down the German service which meant that, once again, data from local Office 365 users would be transmitted across the Atlantic.

"...in August 2018 Microsoft decided to shut down the German service which meant that, once again, data from local Office 365 users would be transmitted across the Atlantic."In view of the changed circumstances, the data protection commissioner decided that there was now an unacceptable risk that users' data could be accessed by US authorities.

More recently, in October 2020, it was reported that at the Conference of German Federal and State Data Protection Supervisory Authorities, a majority of Germany's regional data protection commissioners supported a finding that Microsoft Office 365 did not comply with GDPR standards. They also made clear that changes were urgently needed to comply with the CJEU Schrems II judgment on cross-border data transfers.

Once again, it's too early to say whether this matter will be resolved in an amicable manner or whether it will result in the imposition of GDPR fines.

However, for some time now German lawyers have been warning their clients about the potential financial risks of using non-GDPR compliant software, including many widely used Microsoft products.

For example, one Hamburg-based law firm published the following advice in July 2020:

"...for some time now German lawyers have been warning their clients about the potential financial risks of using non-GDPR compliant software, including many widely used Microsoft products.""Using MS-Teams, Skype and other Office 365 services violates data protection law and may result in million Euro fines. That’s the conclusion of two papers recently issued by the Berlin Commissioner for Data Protection and Freedom of Information. There is urgent need for action in many companies now."

Time will tell whether or not such warnings are justified. However, based on past experience Microsoft is unlikely to be given an easy ride by the German and other European data protection authorities and this may well have some unpleasant fallout for commercial users of its services and products.

In the meantime German scepticism about Microsoft has surfaced in the European Parliament.

In February 2020, Klaus Buchner - a university professor, physicist, and MEP for the green-conservative Ecological Democratic Party - submitted the following question to the EU Commission:

Subject: Microsoft Windows 10 in European local authorities

IT is part of our critical infrastructure, and in European local authorities as well IT means Microsoft Windows and Microsoft Office. It is as if European drivers could only buy cars made by one US manufacturer. As a result, European local authorities and European industry are totally dependent on a foreign monopoly supplier and are required to kow-tow to a foreign legal system and comply with foreign court judgments, which apply to Microsoft in the EU as well. To make matters worse, Windows 10 systematically transmits personal data to Microsoft. Little is known about how that data is used. The upshot is that local authorities may find themselves facing legal action for breaches of the data protection rules and the German Industrial Constitution Law. Background: ‘[...] The Data Protection Officers of the Federal Government and the Länder see little scope for using Microsoft’s Windows 10 operating system in accordance with the law […]’

Instead, standard programmes could be developed at EU level and made available to local authorities free of charge. This standard software could also be hosted in regional data centres in the EU and interested local authorities could transfer their IT operations to those centres. Of course, each local authority would be required to tailor the standard programmes to local needs and operate them independently, either from their own data centres or in an EU cloud.

1. Are there alternatives to monopoly costs and data protection problems? 2. Does the Commission see any scope for offering greater support for the use of free openware such as Linux and OpenOffice / LibreOffice?


The answer which came back from EU Commissioner Thierry Breton was for the most part the usual hot air which didn't really address the elephant in the room.

"In the meantime German scepticism about Microsoft has surfaced in the European Parliament."However, Breton took advantage of the opportunity to plug the Commission's ongoing efforts to promote an "EU cloud initiative" which would "offer credible European alternatives to non-EU providers".

And with that, we conclude our potted history of Microsoft's long-running and continuing problems with European data protection authorities.

In the next part we will take a look at some "close encounters" between the software behemoth of Redmond and other regulatory authorities, in particular the trust-busters on both sides of the Atlantic.

Recent Techrights' Posts

Misinformation is Not Intelligence
It's low-grade plagiarism and it fails to show any signs of intelligence
'Tech' Gimmicks Are for Advertising, Not for Usability
In the case of Microsoft, they latched onto slop
BetaNews Sacked Brian Fagioli and Deleted His Comments, But He Still Tries to Use the "BetaNews" Brand for Self-Affirmation
Fagioli takes the work of other people
[Meme] Hard to Be a Better Person?
Sooner or later they'll realise that for each pound I spend they need to spend about 1,000 times more
 
YouTube is a Spamfarm, Slopfarm, and Clickfarm (a Lot of Numbers There Are Fake)
Those who don't fake look unpopular and unimportant
We Don't Do JavaScript and Pages Are Small
Thankfully Gemini Protocol has nothing like JavaScript
'Tech' is Not Technology
Some people use terms like 'Old Tech'
IBM's Debt Rose by Almost 10 Billion Dollars in the Past 6 Months Alone
The "hey hi" circus is coming to an end
Yes, Master
Gaslighting by actual racists
Microsoft Bribes and Buys Politicians to Tell Europe What to Do About Free Software (Which It's Attacking)
Microsoft: we speak for the thing that we are attacking! Follow the money...
Making Backups Quickly and Reliably
Backups are imperative, more so in an age of uncertainty, unpredictable weather, and worsening standards (quality of products going down while prices go up)
Techrights Investigation: Estimating the Point in Time LinuxIac Turned Into LLM Slop (Part of the Time)
Bobby Borisov got lazy
10th Month, Ten Weeks From Now, at Ten AM
In Wentworth Institute of Technology in Boston
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, July 24, 2025
IRC logs for Thursday, July 24, 2025
A Nadella Memo Distracts From Microsoft's Cheapening Of the Workforce
Right now the "MSM" (mainstream media) is flooded/overwhelmed by garbage pieces that relay lies for Nadella
Vanishing Faces of GNU/Linux
Free software projects do not depend on any one person or company to still exist
Microsoft Says It Lost 400 Million Windows Users, Now It's Waiting for GNU/Linux to Stop Booting on 'Old' PCs
When it comes to Windows, Microsoft is fully aware of the issue and statements it made earlier this summer suggest it lost 400 million Windows users
Slopwatch: LinuxTechLab, linuxsecurity.com, LinuxIac, and More
Also: The Register's Microsoft agenda (new editor)
Gemini Links 25/07/2025: Gemtext Aware Titan Editor and Gemini Protocol Comeback
Links for the day
Links 24/07/2025: Convicted Felon Quits UNESCO, "Vibe Coding Goes Wrong", and Signalgate Gets Worse
Links for the day
Gemini Links 24/07/2025: Forgejo Woes and Smolnet Directory Week
Links for the day
Links 24/07/2025: Storage Tapes Still Kicking, Windows TCO 'on Steroids' (Microsoft-Induced Catastrophes)
Links for the day
Bobby Borisov (LinuxIac) Has Apparently Begun Experimenting With LLM Slop, So We Cannot Trust LinuxIac Anymore
So did LinuxIac become a slopfarm? Maybe not yet, but it's getting there
Informa TechTarget's ITProToday is Becoming a Slopfarm Generated by Microsoft Chatbots
Busted.
The LLM Con Artists Are Highly Destructive
Who will ever be held accountable for this scam?
Too Bribed by Microsoft to Move to Free Software?
Microsoft lies and Microsoft bribery (in politics)
New US Editor for The Register is a Microsoft Booster
"Avram Piltch has served as US editor for The Register since July 2025."
Microsoft Hiring European Politicians is Another Form of Bribery; There Should be a European Investigation
When Microsoft bribed people in Europe for OOXML (there's no denying this!) a European government delegate said that Microsoft operated like a cult
Reda Demanded That FSF Removes Its Founder, Now Reda Works Directly for Microsoft
A sellout and a traitor, first working for GAFAM, now Microsoft
PCLinuxOS is Raising Money to Support Development After Fire Incident at the Host
PCLinuxOS has not had announcements lately
Speed of the Site Should be Better Now
The "bot attacks" impact the speed of the sister site too
Getting More From AnalogNowhere
Recently we used many images from AnalogNowhere
Microsoft, Microsofters and 'Secure' Boot Shills Already Storming the LWN Report About Expiring Certificate, Shooting the Messenger
LWN has clearly stuck a nerve
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, July 23, 2025
IRC logs for Wednesday, July 23, 2025
Disable "Secure" Boot Today (the Only Better Time to Do So Was Yesterday)
Don't trust anything Red Hat tells you about security
Links 23/07/2025: Windows Killed Company After 150+ Years, US Government Mimics Russia's Attacks on the Media
Links for the day
Freedom Generally Wins at the End, History Shows (But It's Constantly Attacked, Too)
At the moment people realise "Linux" (e.g. Android) isn't enough to guarantee any freedoms
Over 3 Months Later Brett Wilson LLP Still Unable to Recruit a Media Lawyer?
"Immediate start", but not found... still unfilled
“Inhumane” and “Disgusting” Mass Layoff Execution, According to Microsoft Staff
The workers are looking for other places to work
The Free Software Foundation (FSF) Has a New Slogan for Its 40th Anniversary
The freedoms are what's most important
Microsoft is Trying to "Pull a Nokia" on GNU/Linux as Desktop/Laptop Platform
We all remember that rather well, don't we?
LLM Slopfarms gbhackers.com, "Cyber Press" and CyberSecurityNews Are Drowning Google News (and Shame on Google for Feeding and Facilitating Them)
All are run by the same people
Links 23/07/2025: Droplets GUI Patent Monopoly Challenge, Nokia Leverages Illegal Patent Court Against Rivals
Links for the day
Gemini Links 23/07/2025: Community in Geminispace and Challenges With Old Computers
Links for the day
Links 23/07/2025: Slop Patents Tackled, Slop Copyright Misuses Tackled by Politicians
Links for the day
Our Three Lawsuits Against Microsofters Are About to Become a Lot More Relevant to GNU/Linux
The Master will easily understand why Garrett has been attacking me since 2012
Links 23/07/2025: Retreating From Transparency on Jeffrey Epstein, We No Longer Have Press Freedom
Links for the day
Gemini Links 23/07/2025: Piano and Food
Links for the day
New and Old
On Ageism in Tech
Slop Is Not Intelligence and It Does Not Enhance Productivity
Like voice dictation, which cannot tell the difference between "sheet" and "shit"
EPO Crimes Are Spreading to the British Court System
Society is now paying the price for failing to tackle crimes at the EPO
It's Time to Dump SharePoint and Here's What to Use Instead
Nextcloud, ownCloud, Bookstack, MediaWiki, and MediaGoblin
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, July 22, 2025
IRC logs for Tuesday, July 22, 2025
Brett Wilson LLP Has Gone Silent
Sometimes silence says more than nothing at all
Slopwatch: LinuxSecurity, Planet Ubuntu, and LinuxTechLab
some slopfarms show no remorse and they don't value their reputation at all
Links 23/07/2025: Book Bans, Storms, and Kangaroo Court for Patents Commits More Unlawful Acts of Overreach
Links for the day