03.16.21

Gemini version available ♊︎

EPO and Microsoft Collude to Break the Law — Part IX: Know Your Vendor…

Posted in Deception, Europe, Microsoft, Patents at 4:26 am by Dr. Roy Schestowitz

Previous parts:

A big brother-like spy
The never-ending saga of Microsoft’s run-ins with European data protection authorities

Summary: Microsoft is one of the world’s worst offenders when it comes to privacy, but vendor assessment by the EPO conveniently overlooks the law

Even before GDPR came into effect in May 2018, data protection regulators in some European countries were starting to have their doubts about whether Microsoft’s flagship product, its Windows operating system, was compliant with European data protection standards.

The first national authority to kick into action was the French National Data Protection Commission (CNIL).

Following an investigation which concluded in June 2016, CNIL issued Microsoft with a formal notice to comply with French data protection regulations. CNIL also ruled that the decision should be made public, given the scale of the violations in question.

“Following an investigation which concluded in June 2016, CNIL issued Microsoft with a formal notice to comply with French data protection regulations. CNIL also ruled that the decision should be made public, given the scale of the violations in question.”No fewer than six violations of the French Data Protection Act were identified by CNIL, including continued transfer of data based on Safe Harbor principles despite the fact that the Safe Harbour Agreement had been invalidated by the CJEU in October 2015.

Microsoft was given three months – until 30 September 2016 – to end the identified violations of French Data Protection law or else face the prospect of a fine of up to €150,000.

In June 2017, it was reported that Microsoft had scaled back the volume of data it collected from Windows 10 PCs by “almost half”. This led CNIL to announce that Windows 10 was no longer in breach of the country’s data protection laws and that it had decided to close the case.

But that was only the first chapter in the never-ending saga of Microsoft’s run-ins with European data protection authorities.

“Microsoft was given three months – until 30 September 2016 – to end the identified violations of French Data Protection law or else face the prospect of a fine of up to €150,000.”A few months later in October 2017, it was reported that the Dutch data protection authority (Autoriteit Persoonsgegevens) had come to the conclusion that Microsoft was in breach of Dutch data protection law due to the way it processed the personal data of Windows 10 users.

According to the Dutch data watchdog, Microsoft made it impossible for users to give their valid consent to their personal data being processed due to the multiple ways in which that data might subsequently be used.

The Dutch regulator noted that Microsoft had promised to end its “violations”, but warned that a failure to do so could lead it to impose a sanction.

After some back and forth with the regulator, Microsoft submitted a revised version of its software in April 2018. However, in the course of testing the revised version the Dutch agency found fresh grounds for concern, discovering what it called in a press release “new, potentially unlawful, instances of personal data processing”.

“After some back and forth with the regulator, Microsoft submitted a revised version of its software in April 2018. However, in the course of testing the revised version the Dutch agency found fresh grounds for concern, discovering what it called in a press release “new, potentially unlawful, instances of personal data processing”.”In the meantime GDPR had entered into force, and this led the Dutch data protection authority to refer its concerns to the competent lead EU privacy regulator under the new regulations. This was the national data protection authority where Microsoft’s regional HQ for the EU is located, namely the Irish Data Protection Commission.

And so the seriously under-resourced Irish DPC added the Microsoft GDPR non-compliance case to an already long list of files concerning the cross-border data processing activities of multiple tech giants which had accumulated on its docket since the GDPR came into force in May 2018.

According to the most recently available reports from May 2020 the Microsoft case is still pending before the Irish Data Protection Commission.

The situation in the Netherlands became even hotter for Microsoft with the decision of the Dutch Ministry of Justice and Security in 2018 to commission a Data Protection Impact Assessment (DPIA) to be carried out on a range of Microsoft products, including Office 365.

“The situation in the Netherlands became even hotter for Microsoft with the decision of the Dutch Ministry of Justice and Security in 2018 to commission a Data Protection Impact Assessment (DPIA) to be carried out on a range of Microsoft products, including Office 365.”The DPIA was commissioned because this was a clear-cut case of data processing on a large scale (by 300,000 government employees) which involved personal data, including data that could be potentially used to track the activities of employees.

The aim of the exercise was to assess the extent to which Microsoft’s Office Online and the Mobile Office Apps could be deployed in a GDPR-compliant manner by Dutch government organisations.

The scope of the investigation included the five most commonly used Office 365 applications – Word, PowerPoint, Outlook, Excel and Microsoft Teams – in Office Online and the Mobile Office apps, in combination with the use of cloud storage services.

The final report [PDF], which was published in November 2018, identified a number of serious data protection risks, in particular the following:

• Loss of control over the use of personal data;
• Loss of confidentiality;
• Inability to exercise rights;
• Re-identification of pseudonymised data;
• Unlawful (further) processing.

It was noted that effective risk mitigation was outside of the users’ control and could only be carried out by Microsoft.

“It was noted that effective risk mitigation was outside of the users’ control and could only be carried out by Microsoft.”The investigation found an unacceptable lack of control by users over the processing of personal data by Office 365 mobile applications. Because of this government organisations were advised to create policies for their employees stating that they were not to use mobile Office 365 applications.

As we shall see in the next part, the investigation by the Dutch authorities into the GDPR-compliance of Microsoft products prompted the European Data Protection Supervisor to announce its own investigation into Microsoft products used by EU institutions.

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

DecorWhat Else is New

  1. [Meme] EPO Applicants Unwittingly Fund the War on Ukraine

    As we’ve just shown, António Campinos is desperately trying to hide a massive EPO scandal

  2. EPO Virtue-Signalling on the Ukrainian Front

    António Campinos persists in attention-shifting dross and photo ops; none of that can change the verifiable facts about the EPO’s connections to Lukashenko’s 'science park' in Minsk

  3. Links 19/05/2022: PostgreSQL 15 Beta 1 and Plasma 5.25 Beta

    Links for the day

  4. A Libera.Chat Anniversary and Happy Birthday (Maybe the Last) to 'Leenode'

    What became known as the so-called ‘Leenode’ is a cautionary tale, but maybe it is also a blessing in disguise because IRC as a whole seem to have become a lot more decentralised (as everything should be)

  5. Links 19/05/2022: The Gradual Fall of Netflix/DRM

    Links for the day

  6. IRC Proceedings: Wednesday, May 18, 2022

    IRC logs for Wednesday, May 18, 2022

  7. Links 18/05/2022: Qt Company Loses Chief; OpenSUSE Leap Micro 5.2 and RHEL 9 Final

    Links for the day

  8. Jim Zemlin's Wife is Funded by Puppies (Microsoft)

    Jim Zemlin — like his wife — is bagging millions from Microsoft, but that’s clearly a conflict of interest for the Linux Foundation

  9. Links 18/05/2022: More Defections From WordPress to Gemini

    Links for the day

  10. Links 18/05/2022: PikaScript and cURL's Annual User Survey

    Links for the day

  11. IRC Proceedings: Tuesday, May 17, 2022

    IRC logs for Tuesday, May 17, 2022

  12. Phoronix: Microsoft and Phoronix Sponsor (and Close Microsoft Partner) AMD All Over the Place

    When you’re taking massive 'gifts' from AMD (and also some from Microsoft) maybe it’s not surprising that editorial decisions change somewhat…

  13. EPO Has No F-ing Oversight

    Earlier today SUEPO mentioned this new article demonstrating that EPO President António Campinos can very obviously and blatantly violate the Code of Conduct of the Office without facing any consequences; there are translations too, so the report is now available in four languages

  14. [Meme] Linux-Rejecting Foundation

    The Linux Foundation never really leads by example; by default, it uses proprietary software

  15. Linux Foundation Almost Never uses Open Source

    The Linux Foundation uses proprietary software (look where they hire and take money from) and be sure they're probably not even aware of it

  16. Links 17/05/2022: Many More Games on GNU/Linux, YaST Development Report

    Links for the day

  17. Links 17/05/2022: Rocky Linux 8.6 and Budgie Desktop in Fedora

    Links for the day

  18. Patent Examiners Rising Up Against EPO Abuse

    Unhappy with the law-breaking autocracy (the EPO‘s management breaks the law as a matter of routine), fast-deteriorating working conditions and rapidly-decreasing quality of work (or lack of compliance with the law), workers have escalated further, topping off strikes and industrial actions with a large-scale petition

  19. [Meme] What Managers (Really) Mean by Acting Professionally

    The myth of 'professionalism' needs to die along with the façade of conformity as prerequisite for employment (Linus Torvalds can work just fine in a bathrobe in his own home)

  20. Internal Poll: 93% of European Patent Office (EPO) Workers Are Unhappy With the EPO

    On top of strike/s and industrial action/s there are now also petitions; at the EPO, almost all staff is "disgruntled" because of utterly corrupt and defunct leadership

  21. Links 17/05/2022: OpenSUSE Leap 15.4 Release Candidate

    Links for the day

  22. IRC Proceedings: Monday, May 16, 2022

    IRC logs for Monday, May 16, 2022

  23. Links 16/05/2022: FreeBSD 13.1 and Inkscape 1.2 Released

    Links for the day

  24. Archiving Latest Posts in Geminispace (Like a Dated Web Directory But for Gemini)

    Earlier today we saw several more people crossing over from the World Wide Web to Gemini; we're trying to make a decent aggregator and archive for the rapidly-expanding Geminispace, which will soon have 2,500 capsules that are known to Lupa alone

  25. Microsoft Vidal Does Not Want to Listen (USPTO is Just for Megacorporations)

    Microsoft Vidal knows her real bosses. They’re international corporations (multinationals like Microsoft), not American people.

  26. Links 16/05/2022: China Advances on GNU/Linux and Maui 2.1.2 is Out

    Links for the day

  27. Jim Zemlin: Chief Revenue Officer in 'Linux' Seat-Selling Foundation

    Board seats in the Linux Foundation are basically a product on sale, based internal documents

  28. Reminder: Linux Foundation's Last IRS Filing is Very Old (Same Year the CFO Left)

    People really need to ask the Linux Foundation, directly, why its filings are years behind; this seems like a sensitive subject

  29. Linux Foundation Does Not Speak for GNU/Linux Users

    There's a serious problem in the "Linux" world as the so-called 'Linux' Foundation claims to speak for us (the GNU/Linux community) while in fact speaking against us (on the payroll of those looking to extinguish us)

  30. IBM's Lennart Poettering on Breaking Software for Pseudo Novelty

    Recently-uploaded ELCE 2011 clip shows a panel with Linus Torvalds, Alan Cox, Thomas Gleixner, Paul McKenney, and Lennart Poettering (relevant to novelty or perceived novelty that mostly degrades the experience of longtime users, e.g. Wayland and systemd)

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts