03.16.21

Gemini version available ♊︎

EPO and Microsoft Collude to Break the Law — Part IX: Know Your Vendor…

Posted in Deception, Europe, Microsoft, Patents at 4:26 am by Dr. Roy Schestowitz

Previous parts:

A big brother-like spy
The never-ending saga of Microsoft’s run-ins with European data protection authorities

Summary: Microsoft is one of the world’s worst offenders when it comes to privacy, but vendor assessment by the EPO conveniently overlooks the law

Even before GDPR came into effect in May 2018, data protection regulators in some European countries were starting to have their doubts about whether Microsoft’s flagship product, its Windows operating system, was compliant with European data protection standards.

The first national authority to kick into action was the French National Data Protection Commission (CNIL).

Following an investigation which concluded in June 2016, CNIL issued Microsoft with a formal notice to comply with French data protection regulations. CNIL also ruled that the decision should be made public, given the scale of the violations in question.

“Following an investigation which concluded in June 2016, CNIL issued Microsoft with a formal notice to comply with French data protection regulations. CNIL also ruled that the decision should be made public, given the scale of the violations in question.”No fewer than six violations of the French Data Protection Act were identified by CNIL, including continued transfer of data based on Safe Harbor principles despite the fact that the Safe Harbour Agreement had been invalidated by the CJEU in October 2015.

Microsoft was given three months – until 30 September 2016 – to end the identified violations of French Data Protection law or else face the prospect of a fine of up to €150,000.

In June 2017, it was reported that Microsoft had scaled back the volume of data it collected from Windows 10 PCs by “almost half”. This led CNIL to announce that Windows 10 was no longer in breach of the country’s data protection laws and that it had decided to close the case.

But that was only the first chapter in the never-ending saga of Microsoft’s run-ins with European data protection authorities.

“Microsoft was given three months – until 30 September 2016 – to end the identified violations of French Data Protection law or else face the prospect of a fine of up to €150,000.”A few months later in October 2017, it was reported that the Dutch data protection authority (Autoriteit Persoonsgegevens) had come to the conclusion that Microsoft was in breach of Dutch data protection law due to the way it processed the personal data of Windows 10 users.

According to the Dutch data watchdog, Microsoft made it impossible for users to give their valid consent to their personal data being processed due to the multiple ways in which that data might subsequently be used.

The Dutch regulator noted that Microsoft had promised to end its “violations”, but warned that a failure to do so could lead it to impose a sanction.

After some back and forth with the regulator, Microsoft submitted a revised version of its software in April 2018. However, in the course of testing the revised version the Dutch agency found fresh grounds for concern, discovering what it called in a press release “new, potentially unlawful, instances of personal data processing”.

“After some back and forth with the regulator, Microsoft submitted a revised version of its software in April 2018. However, in the course of testing the revised version the Dutch agency found fresh grounds for concern, discovering what it called in a press release “new, potentially unlawful, instances of personal data processing”.”In the meantime GDPR had entered into force, and this led the Dutch data protection authority to refer its concerns to the competent lead EU privacy regulator under the new regulations. This was the national data protection authority where Microsoft’s regional HQ for the EU is located, namely the Irish Data Protection Commission.

And so the seriously under-resourced Irish DPC added the Microsoft GDPR non-compliance case to an already long list of files concerning the cross-border data processing activities of multiple tech giants which had accumulated on its docket since the GDPR came into force in May 2018.

According to the most recently available reports from May 2020 the Microsoft case is still pending before the Irish Data Protection Commission.

The situation in the Netherlands became even hotter for Microsoft with the decision of the Dutch Ministry of Justice and Security in 2018 to commission a Data Protection Impact Assessment (DPIA) to be carried out on a range of Microsoft products, including Office 365.

“The situation in the Netherlands became even hotter for Microsoft with the decision of the Dutch Ministry of Justice and Security in 2018 to commission a Data Protection Impact Assessment (DPIA) to be carried out on a range of Microsoft products, including Office 365.”The DPIA was commissioned because this was a clear-cut case of data processing on a large scale (by 300,000 government employees) which involved personal data, including data that could be potentially used to track the activities of employees.

The aim of the exercise was to assess the extent to which Microsoft’s Office Online and the Mobile Office Apps could be deployed in a GDPR-compliant manner by Dutch government organisations.

The scope of the investigation included the five most commonly used Office 365 applications – Word, PowerPoint, Outlook, Excel and Microsoft Teams – in Office Online and the Mobile Office apps, in combination with the use of cloud storage services.

The final report [PDF], which was published in November 2018, identified a number of serious data protection risks, in particular the following:

• Loss of control over the use of personal data;
• Loss of confidentiality;
• Inability to exercise rights;
• Re-identification of pseudonymised data;
• Unlawful (further) processing.

It was noted that effective risk mitigation was outside of the users’ control and could only be carried out by Microsoft.

“It was noted that effective risk mitigation was outside of the users’ control and could only be carried out by Microsoft.”The investigation found an unacceptable lack of control by users over the processing of personal data by Office 365 mobile applications. Because of this government organisations were advised to create policies for their employees stating that they were not to use mobile Office 365 applications.

As we shall see in the next part, the investigation by the Dutch authorities into the GDPR-compliance of Microsoft products prompted the European Data Protection Supervisor to announce its own investigation into Microsoft products used by EU institutions.

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

DecorWhat Else is New

  1. [Meme] “Social Democracy” at the EPO

    Some comments on the current situation at the European Patent Office from Goran Gerasimovski, the new EPO Administrative Council delegate for North Macedonia and Social Democratic candidate for mayor of Centar (a municipality of Skopje)

  2. [Meme] António Campinos Visits the OSIM

    António Campinos visits OSIM Director-General Ionel Muscalu in February 2014

  3. [Meme] [Teaser] Meet the President

    Later today we shall see what Romania did for Battistelli

  4. Links 26/10/2021: Latte Dock 0.10.3 and Linux 5.15 RC7

    Links for the day

  5. Gemini Protocol's Originator: “I Continue to Care About This Project and I Care About the Community That Has Formed Around It.”

    'Solderpunk' is back from a long hiatus; this bodes well for Geminispace, which grew fast in spite of the conspicuous absence

  6. Bulgarian Like Bavarian Serfdom

    Bulgarian politics seem to have played a big role in selecting chiefs and delegates who backed Benoît Battistelli‘s unlawful proposals, which treat workers almost like slaves and ordinary citizens as disposable ‘collaterals’

  7. The EPO’s Overseer/Overseen Collusion — Part XXIII: The Balkan League - Bulgaria

    Today we examine the role of Bulgaria in Benoît Battistelli‘s liberticidal regime at the EPO (as well as under António Campinos, from 2018 to present) with particular focus on political machinations

  8. Links 25/10/2021: New Slackware64-current and a Look at Ubuntu Budgie

    Links for the day

  9. Links 25/10/2021: pg_statement_rollback 1.3 and Lots of Patent Catchup

    Links for the day

  10. Microsoft GitHub Exposé — Part III — A Story of Plagiarism and Likely Securities Fraud

    Today we tread slowly and take another step ahead, revealing the nature of only some among many problems that GitHub and Microsoft are hiding from the general public (to the point of spiking media reports)

  11. [Meme] [Teaser] Oligarchs-Controlled Patent Offices With Media Connections That Cover Up Corruption

    As we shall see later today, the ‘underworld’ in Bulgaria played a role or pulled the strings of politically-appointed administrators who guarded Benoît Battistelli‘s liberticidal regime at the EPO

  12. IRC Proceedings: Sunday, October 24, 2021

    IRC logs for Sunday, October 24, 2021

  13. Links 25/10/2021: EasyOS 3.1 and Bareflank 3.0

    Links for the day

  14. The Demolition of the EPO Was Made Possible With Assistance From Countries That Barely Have European Patents

    The legal basis of today's EPO has been crushed; a lot of this was made possible by countries with barely any stakes in the outcome

  15. The EPO’s Overseer/Overseen Collusion — Part XXII: The Balkan League - North Macedonia and Albania

    We continue to look at Benoît Battistelli‘s enablers at the EPO

  16. Links 24/10/2021: GPS Daemon (GPSD) Bug and Lots of Openwashing

    Links for the day

  17. Links 24/10/2021: XWayland 21.1.3 and Ubuntu Linux 22.04 LTS Daily Build

    Links for the day

  18. IRC Proceedings: Saturday, October 23, 2021

    IRC logs for Saturday, October 23, 2021

  19. Links 24/10/2021: Ceph Boss Sage Weil Resigns and Many GPL Enforcement Stories

    Links for the day

  20. GAFAM-Funded NPR Reports That Facebook Let Millions of People Like Trump Flout the So-called Rules. Not Just “a Few”.

    Guest post by Ryan, reprinted with permission

  21. Some Memes About What Croatia Means to the European Patent Office

    Before we proceed to other countries in the region, let’s not forget or let’s immortalise the role played by Croatia in the EPO (memes are memorable)

  22. Gangster Culture in the EPO

    The EPO‘s Administrative Council was gamed by a gangster from Croatia; today we start the segment of the series which deals with the Balkan region

  23. The EPO’s Overseer/Overseen Collusion — Part XXI: The Balkan League – The Doyen and His “Protégée”

    The EPO‘s circle of corruption in the Balkan region will be the focus of today’s (and upcoming) coverage, showing some of the controversial enablers of Benoît Battistelli and António Campinos, two deeply corrupt French officials who rapidly drive the Office into the ground for personal gain (at Europe’s expense!)

  24. Links 23/10/2021: FreeBSD 12.3 Beta, Wine 6.20, and NuTyX 21.10.0

    Links for the day

  25. IRC Proceedings: Friday, October 22, 2021

    IRC logs for Friday, October 22, 2021

  26. [Meme] [Teaser] Crime Express

    The series about Battistelli's "Strike Regulations" (20 parts thus far) culminates as the next station is the Balkan region

  27. Links 23/10/2021: Star Labs/StarLite, Ventoy 1.0.56

    Links for the day

  28. Gemini on Sourcehut and Further Expansion of Gemini Space

    Gemini protocol is becoming a widely adopted de facto standard for many who want to de-clutter the Internet by moving away from the World Wide Web and HTML (nowadays plagued by JavaScript, CSS, and many bloated frameworks that spy)

  29. Unlawful Regimes Even Hungary and Poland Would Envy

    There’s plenty of news reports about Polish and Hungarian heads of states violating human rights, but never can one find criticism of the EPO’s management doing the same (the mainstream avoids this subject altogether); today we examine how that area of Europe voted on the illegal "Strike Regulations" of Benoît Battistelli

  30. The EPO’s Overseer/Overseen Collusion — Part XX: The Visegrád Group

    The EPO‘s unlawful “Strike Regulations” (which helped Benoît Battistelli and António Campinos illegally crush or repress EPO staff) were supported by only one among 4 Visegrád delegates

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts