Bonum Certa Men Certa

The EPO Bundestagate -- Part 4: Parroting the GDPR-Compliance Myth

Series index:

  1. The EPO Bundestagate -- Part 1: How the Bundestag Was (and Continues to be) Misled About EPO Affairs
  2. The EPO Bundestagate -- Part 2: Lack of Parliamentary Oversight, Many Questions and Few Answers…
  3. The EPO Bundestagate -- Part 3: A “Minor Interpellation” in the German Bundestag
  4. You are here ☞ Parroting the GDPR-Compliance Myth


EPO's GDPR-Compliance Myth
What could possibly have led the German government to parrot the EPO's bogus and self-serving claims about GDPR-compliance?



Summary: The EPO had been in violation of GDPR (EU) for years, both under Benoît Battistelli and António Campinos; but the lies persisted

Back in October 2019, the FDP submitted another "minor interpellation" entitled "Data protection in relation to cooperation with the EPO" ("Datenschutz bei EPA-Zusammenarbeit" - Bundestag Printed Paper [PDF] no. 19/14490).



This interpellation contained a series of questions relating to the EPO's data protection framework, in particular in the context of data exchanges with national authorities such as the German Patent & Trademark Office.

"This interpellation contained a series of questions relating to the EPO's data protection framework, in particular in the context of data exchanges with national authorities such as the German Patent & Trademark Office."Under point 7. of the interpellation, the FDP explicitly raised the issue of the compliance of the EPO's data protection framework with the GDPR (which had entered into force over a year previously in May 2018).

The relevant passage of the interpellation reads as follows (in translation):

According to the knowledge of the Federal Government, is data processing at the EPO compliant with the provisions of the GDPR, or does it have any indications that would suggest a deviation from GDPR regulations?


The response of the Federal Government was published on 12 November 2019 (Bundestag Printed Paper [PDF] no. 19/15072).

The passage of the response which addresses point 7. of the FDP's interpellation reads as follows (in translation):

The Federal Government has no indication that the EPO does not comply with the provisions of the European data protection standards. The Board of Auditors of the European Patent Organisation, which is appointed by the Administrative Council under Article 49(1) EPC and carries out its activities in accordance with Articles 49 and 50 EPC and its Rules of Procedure and professional auditing standards, stated the following in its audit report for the financial year 2018 (document CA/20/19) (warning: epo.org link). Although the EPO, as an international organization, is not directly subject to EU rules, the basic principles of the GDPR have nevertheless been implemented, as data of European citizens are processed at the EPO. In addition, it was noted that for the sake of transparency, the EPO has already established a data protection register in the past to record all processing of personal data. Upon request, the information can be made available (publicly) to the data subject, thus ensuring the right to information.


The government's response is another classic piece of hand-waving and obfuscation about the atrociously deficient state of the EPO's data protection framework.

It is however worth looking at this response more closely because it seems to have come straight from the EPO's internal "echo chamber". There is very little evidence of any independent thought or research on the part of those responsible for drafting the government's statement of its position.

"It seems that the reader is supposed to accept these assertions on "blind faith"."What is particularly noteworthy is the fact that the German government appears to rely solely on the EPO's internal audit report for the financial year 2018 (CA/20/19) (warning: epo.org link) as the basis for its "considered opinion" that the EPO's data protection framework is GDPR-compliant.

There's just one small problem here.

Neither CA/20/19 nor any other internal "audit report" from the EPO contains a meaningful substantive assessment of the organisation's data protection framework and its purported compliance with GDPR standards.

The available audit reports from the EPO (CA/20/18, CA/20/19, CA/20/20) (warning: all are epo.org links) only contain cursory self-serving assertions to the effect that the organisation's data protection framework is "relatively closely aligned" with EU data processing regulations - whatever that is supposed to mean.

What is conspicuously absent is a credible independent audit of the EPO's data protection framework that could be considered to substantiate the self-serving assertions emanating from the EPO's senior management.

It seems that the reader is supposed to accept these assertions on "blind faith".

"For this reason it's a bit disconcerting to see the Federal Government of Germany still parroting the EPO's manifestly bogus and self-serving assertions about GDPR-compliance in such a naïve and uncritical manner in November 2019."However, this becomes difficult when it is recalled that back in 2016 the EPO staff union (SUEPO) commissioned a report about various aspects of EPO governance from external legal experts.

This report dated 31 May 2016 - which is publicly available - found that the EPO's data protection framework was not compliant with EU data protection standards and that it was in urgent need of a radical overhaul.

Nothing of substance has changed since May 2016.

For this reason it's a bit disconcerting to see the Federal Government of Germany still parroting the EPO's manifestly bogus and self-serving assertions about GDPR-compliance in such a naïve and uncritical manner in November 2019.

In the next part we will consider how this curious state of affairs came about.

Recent Techrights' Posts

Open Source Initiative (OSI) Privacy Fiasco in Detail: The OSI Does Not Respect Anybody's Privacy
The surveillance mafia that bans dissent or key people (even co-founders) with dissenting views
The LLM Bubble is About to Implode, Gimmicks and Financial Shell Games Cannot Prevent That, Only Delay It
To inflate the bubble MElon is now doing the classic trick of buying from oneself for a fictional value
 
LLM Slop Piggybacking News About GNU/Linux and Distorting It
new examples
Links 31/03/2025: Press and Democracy Under Further Attacks in the US, Attitudes Towards Slop Sour
Links for the day
Gemini Links 31/03/2025: More X-Filesposting and Dreaming in Emacs
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, March 30, 2025
IRC logs for Sunday, March 30, 2025
Links 30/03/2025: Security Breaches, Crackdowns on Dissent/Rival Politicians
Links for the day
Gemini Links 30/03/2025: London Soundtrack Festival, Superbloom, gmiCAPTCHA
Links for the day
Phasing Out Vista 10 in Nations Where ~90% of Windows Users Still Rely on It
Recipe for another Microsoft disaster
The Cost of Pursuing the Much-Needed Reform/Shield Against Strategic Lawsuits Against Public Participation (SLAPPs)
“It is curious that physical courage should be so common in the world and moral courage so rare.”
Links 30/03/2025: Contagious Ideas, Signal Leak, and Squashing Lousy Patents
Links for the day
Links 30/03/2025: "Quantum Randomness" and "F-1 Visa Revoked" in US
Links for the day
Gemini Links 30/03/2025: US as a Threat, Returning to the WWW
Links for the day
Links 30/03/2025: Judge Blocks Dismantling Of VOA, Turkey Arrested Many Journalists
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, March 29, 2025
IRC logs for Saturday, March 29, 2025
Judges Would Never Rule for Men Who Strangle Women or Against Women Who Merely Wrote Articles About Abuse They Had Received From Men
We don't intend to do "trial by media", so we won't be disclosing claims and defences until it's over
Windows is an Unnatural Disaster, It is Also Avoidable
there's a wide window of opportunity opening
Gemini Links 29/03/2025: Less YouTube and More Station
Links for the day
In Some Countries, Such as Thailand, Firefox is Already Measured at Less Than 2% (One Day Firefox Will Get Blocked, Not Only Lack Support)
Web consolidation around Chrom-isms will doom the Web as we know it
Killing the News With Spam and Slop Benefits Those Whose Desire is an Uninformed Population
adoption of Free software depends indirectly on political activities/activism
Links 29/03/2025: Trademarks Battles, Fires Destroy More Than 3,000 South Korean Homes
Links for the day
Open Source Initiative (OSI) Privacy Fiasco in Detail: An Introduction
Perhaps tomorrow or perhaps next week we'll share more information about what happened and what was reported to the California Privacy Protection Agency
Links 29/03/2025: More Crackdowns on Science, "Hey Hi" Slopping is Flopping
Links for the day
IBM's BS (Bait, Switch) Regarding Ways to Stay Onboard
PIPs, RTOs, and forced relocations are just an illusion of choice (or ability to recover)
Costa Rica Almost Bankrupt Because of Microsoft
the incidents in Costa Rica are Windows incidents
Gemini Links 29/03/2025: Art of Looking, Wireguard, EMacs
Links for the day
Links 29/03/2025: Attacks on Social Security and War Updates
Links for the day
Banned evidence: Ars Technica forums censored email predicting DebConf23 death, Abraham Raji & Debian cover-up
Reprinted with permission from Daniel Pocock
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, March 28, 2025
IRC logs for Friday, March 28, 2025