For quite some time now it has been an open secret that the data protection framework at the EPO is not fit for purpose.
"So it's difficult to see how such a manifestly deficient framework which hadn't changed in the meantime could be considered meet the even more stringent standards imposed by GDPR in 2018."When the EU GDPR came into effect in May 2018, Battistelli attempted to pull the wool over the eyes of the EPO's stakeholders and the general public by issuing a self-serving communiqué (warning: epo.org link) proclaiming the EPO's commitment to "ensuring the highest level of data protection" and announcing that "a recent audit report has confirmed a close alignment with the GDPR legal framework".
The only problem here is that Dr Petri, a serious and well-regarded independent expert on data protection law found that the EPO's data protection framework failed to measure up to pre-GDPR standards in 2014.
So it's difficult to see how such a manifestly deficient framework which hadn't changed in the meantime could be considered meet the even more stringent standards imposed by GDPR in 2018.
As a matter of fact, a report commissioned by the EPO staff union SUEPO from external legal experts in 2016 came to the conclusion that the EPO's data protection framework was not compliant with EU data protection standards and was in urgent need of a radical overhaul.
It's worth citing a few passages from that report for the record:
The European Union does, quite rightly, take data protection seriously. Yet the framework at the EPO gives rise to significant cause for concern, which has also been expressed by the national data protection authorities of the main host state – the Federal Republic of Germany.
The Guidelines for the Protection of Personal Data in the European Patent Office (‘EPO DataProtection Guidelines’ or ‘EPO DPG’), which were unilaterally adopted by the President and which entered into force on 1st April 2014. The current EPO DPG appear to fail to meet the standards of both EU data protection law and the national data protection laws of the Contracting States, in particular, the host countries of the EPO. As such, they do not provide a satisfactory framework for safeguarding the data protection rights of data subjects within the Office.
A key component of the EU data protection framework and which is reflected in the national data protection laws of all EU member states is the existence of an independent oversight body; yet this is conspicuously absent at the EPO. Indeed, the deficiencies in the existing system of data protection established by the EPO's Data Protection Guidelines have come to the attention of the national data protection authorities in the host state of the EPO's headquarters (Germany) and have even been the subject of a discussion in the Legal Affairs Committee of the German Federal Parliament (Bundestag).
"Unfortunately for all concerned, the Administrative Council appears to have completely abdicated its responsibilities in this regard."When all is said and done, the task of ensuring that the EPO's data protection framework is fit for purpose is a matter of fundamental legal and political significance which lies within the responsibility of the governing body of the organisation, namely the Administrative Council.
This is not something which can be simply delegated to the EPO management to deal with on its own initiative.
Unfortunately for all concerned, the Administrative Council appears to have completely abdicated its responsibilities in this regard.
The Council gives the distinct impression that it is "asleep at the wheel" as the senior management of the EPO proceeds to sell out the organisation's "digital sovereignty" to a US multinational corporation behind its back.
Once again, the EPO's Administrative Council seems to be asleep at the wheel