Bonum Certa Men Certa

EPO's Illegal Surveillance Covered Up by Buzzwords Bingo and Acronyms: Data Protection Board (DPB), Data Protection Rules (DPR), and Data Protection Officer (DPO)

EPO's B&W logo
CSC members of the GCC wrote a publication to explain the laughable situation (albeit very politely or "diplomatically" as 'suits' like to put it)



Summary: Years after the surveillance scandals (blunders and actual crimes) of Benoît Battistelli it seems clear that António Campinos carries on with the same tradition of violating privacy of staff and stakeholders, who are of course being lied to (with euphemisms such as "Data Protection")

The Central Staff Committee (CSC) of the EPO has published a report on the consultative 'meeting' (Webchat or "videoconference") which took place 11 days ago regarding "Data Protection" (the EPO prefers to use this positive-sounding term whilst illegally spying on staff and sending confidential data of applicants to Microsoft/United States). The irony isn't lost either; like ViCo 'courts' dealing with or deciding on ViCo. We now have videoconferences dealing with the legality of surveillance, which certainly these videoconference facilities introduce (the EPO could self-host its videoconferencing, but it probably lacks the technical staff that can configure Free software; good workers have been driven out for years).



In any case, this 6-page publication which currently circulates among EPO staff was 'leaked' to us, so we can reproduce it in full below, as HTML:

Munich,17/12/2021 sc21149cp

GCC meeting on 9 December 2021

Data Protection



Dear Colleagues,

The President convened a one-hour GCC meeting via videoconference in order to deal with documents about data protection, in particular to consult on new Circular 420. The Circular deals with the implementation of Article 25 of the Data Protection Rules, which is about restricting the rights of data subjects (read: employees) in specific cases. The CSC members of the GCC unanimously abstained on the document.

The CSC members of the GCC also gave an opinion (without a vote) on the Rules of Procedure of the Data Protection Board, which will act as an “Appeals Committee” for data protection disputes.

Both opinions are attached to this report.

At the end of the meeting we asked about the President’s intentions with his draft social agenda, in particular the “Review of Leave1”. The President announced that all aspects of leave would be addressed, but with the aim making them fair, transparent, predictable and simple, as always2.

The Central Staff Committee

Annexes: opinions of the CSC members of the GCC

- Circular 420: Implementing Article 25 of the Data Protection Rules (DPR) (document GCC/DOC 26/2021) - Rules of Procedure of the Data Protection Board (document GCC/DOC 27/2021)

_____________ 1 See also our publication “Social Agenda 2022” of 3 December 2021. 2 He made the same promise for the reform of the education benefits.




Annexes



Opinion of the CSC members of the GCC on GCC/DOC 26/2021 Circular 420: Implementing Article 25 of the Data Protection Rules (DPR)

General Remarks

In June 2021, the Administrative Council adopted amendments to the ServRegs and the Implementing Rules for Articles 1b and 32a ServRegs (Protection of personal data and data protection oversight), the “DPR”, with decision CA/D 5/21. The GCC consulted on 2 June 2021 on the corresponding CA document CA/26/21. The opinion1 of the CSC members of the GCC was published with their report on the GCC meeting. Obviously, the main flaws of the regulation remain and cannot be remedied in a lower-ranking Circular No. 420.

Human rights should never be taken for granted. The recent judgments regarding the rights for strike at the EPO provide proof for that. The rights to privacy and protection of personal data are such human rights.

Therefore, the CSC members of the GCC appreciate the efforts of the Office to align with highest standards and best practices in data protection. What are these highest standards? It is the GDPR, the general Data Protection Regulations from the EU, as well as the EUDPR, the regulation on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies, which have been introduced in 2018. These are widely considered the Gold Standard in data protection.

Already in February 2019, so almost three years ago, in a publication 2 Staff Representation denounced that the rights to privacy and protection of personal data of EPO employees and its stakeholders did not correspond to these highest standards. Staff representation asked that:

1. The EPO policies on data protection should be aligned with the EU regulations; 2. The role of the Data Protection Officer should be strengthened, and its independence should be assured; 3. An external and independent oversight body should be appointed with the task of monitoring the application of data protection policies at the EPO; 4. Separate data protection policies should be defined for investigative procedures (e.g., misconduct or fraud). Its implementation should be the responsibility of a distinct Data Protection Officer nominated, e.g., by the Administrative Council.

Although late (almost 3 years after that publication and 4 years after the introduction of the EU regulations, and although not as ambitious as we might have liked, finally the EPO has taken some steps forward. We see that indeed the EPO policies have been aligned with the EU regulations and that we have a Data Protection Officer who is more independent and has more resources.

Still the new framework deviates in some important points from the EUDPR. Indeed, it does not provide the same level of protection afforded to employees in the EU institutions.

The main problem is that the President of the Office is both the controller and the appointing authority for the members of the supposedly independent Data Protection Board (DPB). The task

_____________ 1 Opinion of the CSC members of the GCC on GCC/DOC 5/2021 (CA/26/21 and CA/26/21 Add.1): Modernisation of the Data Protection Framework of the European Patent Office under the Strategic Plan 2023, 10.06.2021, link 2 Data Protection @ EPO, quo vadis?, CSC, 20.02.2019, link




of the Data Protection Board is to check that the controller is doing the right things. The second problem is that the powers of the Data Protection Board are limited: it cannot make binding opinions or impose sanctions. It just provides an opinion which the EPO President (the controller) can follow or not. For further information please refer to the Opinion of the CSC members of the GCC on GCC/DOC 5/20211.

Evidently, the EPO has a specific institutional set-up which differs from that of the EU institutions. However, this does not explain the important deviations from the Data Protection Regulation of the EU on such fundamental points. So, we observe some improvements, but unfortunately no Gold Standard at the EPO on the topic of data protection regulations.

On Circular No.420

One critical provision is Article 25 DPR, which restricts the rights of the data subject. Article 25 DPR essentially corresponds to Article 25 EUDPR. The rights concerned are the rights to information, access, rectification, erasure, restriction of processing, data portability, notification and communication of a personal data breach and confidentiality of electronic communications. The rights which remain untouched are the right to object and the right to be preserved from decisions based solely on automated processing.

In the EU, the restrictions either relate to the Member States, to “dispute” proceedings or exclusively to the internal security of Union institutions and bodies, including of their electronic communications networks (Article 25.(1)(d)).

Whereas the CSC members of the GCC are able to compare the EPO DPR with the EUDPR, they lack information (e.g. benchmarks) allowing them to compare with other international organisations or EU agencies, as regards the implementation of Article 25. They also lack benchmarks on how often these restrictions are applied in other organisations. Data on the past and current practice of imposing such restrictions at the EPO are also not available.

Consultation process

The Circular mentions “extensive consultation with those relevant internal stakeholders over the last few months”. One of the main stakeholders, the representatives of the EPO staff, i.e., its Staff representation was excluded from the task force. A single one-hour ViCo was convened by the DPO for explaining the Circular and for the Staff Representation to give their input. However, IT issues prevented the circular from being available for all staff representatives on time. Due to the very tight time line and the extremely late involvement of the Staff Representation, no replacement ViCo could be convened. The GCC meeting is de facto the first opportunity to discuss the Circular with management. One informal meeting with the DPO took place beforehand.

As to the content

Article 4 provides a list of situations, or legal grounds, in which restrictions to the rights of the data subject are possible. It lists inter alia also internal audits. One can reasonably assume that some right on data protection might have to be temporarily restricted during investigative or disciplinary proceedings. However, in the case of internal audits this is questionable. “Internal audits” is a broad term. It might be that there are some specific internal audits for which such restrictions are




necessary. These specific internal audits should have been listed instead of the broad term “internal audits”.

Restrictions are discretionary acts by a data controller, hence subject to limited review. In reply to a request for review, the (delegated) controller will only inform the requester whether the data have been processed correctly and, if not, whether any necessary corrections have been made3. It is therefore very different from a usual request for review within the meaning of Article 109 ServRegs, which calls for a reasoned decision4. The controller must be able to demonstrate compliance with the DPR, for accountability purposes, but the requester is not informed of that “demonstration”.

The Office might impose restrictions, e.g., as regards confidentiality of electronic communications, in investigations, disciplinary proceedings, appeals proceedings, health-related processes. The grounds for the restriction have to be given, i.e., the “legal basis” for the restriction as listed in Article 4. Reasons for restrictions might remain hidden to the data subject in certain cases5. When it comes to disputes in such cases, the facts available to one party, the Office, shall be made available to the Data Protection Board upon request. The other party, i.e., the staff member, will not necessarily have access to those facts. This jeopardises the right to a “fair trial” before the DPB.

This shows again that these restrictions should be imposed only in very specific and exceptional cases. And this is further proof of the importance of the independence of both the Data Protection Board and the DPO, which is crucial for building trust..

Conclusion

The Office deliberately chooses not to follow the EUDPR, which can be considered the “gold standard”. Even when taking into account the institutional set-up of the Organisation6, the new framework could have been aligned closer to the EUDPR. The main problems are, in particular, that the President of the Office is both the controller and the appointing authority for the members of the DPB and that the DPB cannot make binding opinions.

The new framework will require re-evaluation in a few years, hopefully with a view to coming closer to the EUDPR.

Based on the foregoing, the CSC members of the GCC unanimously abstain on the document.

_____________ 3 Article 25(3)c DPR. 4 Article 109(4) ServRegs: “The competent appointing authority shall take a reasoned decision on the outcome of the review...” 5 See Article 7(4); see also Article 25(3)b. and 25(4) DPR 6 See, e.g., Article 10 EPC




Opinion of the CSC members of the GCC on document GCC/DOC 27/2021: Rules of Procedure of the Data Protection Board

The CSC members of the GCC give the following opinion on document GCC/DOC 27/2021.

Introduction

The Administrative Council (AC) has been informed in June 2021 of the Data Protection Rules (DPR) with document CA/26/21 Add. 1. The AC has adopted the new data protection framework with decision CA/D 5/21.

The Data Protection Board (DPB) has two functions, namely an oversight / advisory function and a function as part of the mechanism for legal redress1. The Rules of Procedure (RoP) of the DPB describe the role and the responsibilities of the DPB, including the procedure for dealing with complaints on data protection issues.

The RoP of the DPB relate to the second function, i.e. dealing with complaints. The DPB will replace the Appeals Committee (ApC) for decisions on data protection issues. The RoP for the DPB resemble the RoP for the ApC. In comparison, they include inter alia additional directions for the Board, e.g. as regards criteria for receivability (Article 5), various constraints on time limits for internal processing, the concrete form of opinions (Article 10), etc. The DPB is composed of members having a recognised technical and/or legal background, especially in data protection matters. One would expect that the DPB would be in a position to sort out such matters in an autonomous manner, i.e., deciding on the RoP themselves without interference by the President of the Office, taking for instance good judicial practice and ILOAT jurisprudence into account.

The RoP of the DPB are adopted by the President of the Office in consultation with the President of the Boards of Appeal. With the GCC document, the President informs the GCC members that he adopts the RoP of the DPB. The role of the DPB is limited to proposing amendments to these RoP, which the President may adopt or reject. The DPO confirmed this in the GCC meeting: the DPO would consider whether the proposed amendments could be taken over. By contrast, the Appeals Committee adopts its own Rules of Procedure (with additional approval from the President of the EPO). The latter is the more appropriate sequence for a body intended to be an independent supervisory.

The general impression is that the DPO is willing to retain control on the procedure, which the DPB is expected to follow, although the DPB is the DPO’s supervisory.

The missing bits: rules for oversight / advisory and whistleblowing functions

The RoP include a general statement as to its role, viz. an expert, reliable and authoritative body in the field of data protection ensuring an appropriately informed decision-making process by the President. However, the rules exclusively relate to its function as a replacement for the ApC for dealing with individual disputes. No rules are set up for its advisory function.

Furthermore, under Article 68 of the EU Regulation, staff members of the EU institutions, bodies and agencies can lodge complaints with the European Data Protection Supervisory

_____________ 1 Article 47 DPR




(EDPS), which roughly corresponds to the DPB, even if they are not personally affected by the alleged breach. This is a whistle-blower provision. The EPO excludes this possibility in Article 3(1): only the data subject whose data protection rights have allegedly been infringed is entitled to lodge a complaint.

This could be explained by external institutional constraints, such as the regulations at ILOAT, if the DPB was regarded exclusively as a replacement for the ApC. However, this is not the case and there is a need for establishing a formal channel for dealing with whistle-blowers, in data protection matters as well as in other matters. Presently there is no such channel formalised in the Service Regulations.

Specific positive aspects in the RoP of the DPB:

- Article 10(6): the reasoned opinion of the DPB is communicated to all parties at the same time, including the complainant.

- Article 15(2): a possibility is created for the Board to further examine a complaint of its own motion after the complainant has withdrawn.

- Article 9(7): there is a provision for urgency.

- Article 16(1): the communication of the final decisions is apparently managed by the DPB itself (Secretariat).

The CSC members of the GCC suggest that the ApC should consider including these aspects, mutatis mutandis, into their own rules.

Negative aspect in the RoP:

- Contrary to the ApC, no hearing is foreseen.

The CSC members of the GCC suggest that the DPB should consider including this essential possibility, mutatis mutandis, into their own rules and regret that the DPO is of the opinion that proceedings in writing are sufficient in all cases.


Another publication has been passed along -- an even more interesting one. The EPO has become a technical blunder which not only breaks laws but also has broken systems. This is what happens when the President hires friends (nepotism) instead of people with suitable qualifications. Aside from illegal outsourcing (to external companies) they end up with a circus of a patent office.

Recent Techrights' Posts

Links 22/09/2025: Murdochs Might Join Fentanylware (TikTok) 'Investors' (Masters), United Kingdom Recognises Palestinian Statehood
Links for the day
The 50-Pound Note Experiment and the "War on Cash"
Britain is actually seeing a rebound in cash payments, and it's not a temporary phenomenon
 
The Solicitors Regulation Authority (SRA) Has a Policy on Racism and Sexism
In then future we'll show the misogyny and racial slurs
The Complaint About Brett Wilson LLP - Part I - Abusing British Women on Behalf of American Men Who Abuse American Women
Transparency is important to us, so we've decided to make this series
Slopwatch: Google News and the Evident Slopfarm Infestation
This is what people get about Linux when they query Google for Linux
Gemini Links 22/09/2025: Esperanto Music History and Apps For Android
Links for the day
Links 22/09/2025: More American 'Censorship' (Retaliation for Journalism), Cheeto "Might Be Losing His Race Against Time"
Links for the day
The Blob Slop
Give me more words, give me some text
Slopwatch: Blaming the Victims for Microsoft's Failures and Plagiarising Phoronix
That's what Google has been reduced to: slop and slopfarms
Links 22/09/2025: Breaches, Windows TCO, and Arrests
Links for the day
Gemini Links 22/09/2025: Rabbit Hole and DeGoogling Fairphone
Links for the day
Links 22/09/2025: Russian War Planes Invade NATO Airspace While Dihydroxyacetone Man Escalates Attack on Free Speech Because of Critics
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, September 21, 2025
IRC logs for Sunday, September 21, 2025
Links 21/09/2025: "Hey Hi" (Hype) Under Fire, Fakes Identified; Tesla Burns Family
Links for the day
Google's Software is Malware and Malware in Mobile Devices
Originally posted by Rob Musial
Links 20/09/2025: Hegemony Coming to a Close, Luigi Mangione Ruled Not Terrorist
Links for the day
Gemini Links 21/09/2025: "Charlie Kirk Was a Hateful Piece of Shit" and Slop Code Attempted by Microsofter
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, September 20, 2025
IRC logs for Saturday, September 20, 2025
Gemini Links 20/09/2025: Snowy Photos and utism is a Spectrum
Links for the day
Microsoft-Sponsored Xenophobia and Nationalism
IBM is very similar in this regard
Vintage is Sometimes Better
Why can't we get back to "simple" if (or where) "simple" means better?
Climate Breakdown Means We'll be Publishing More, Not Less
Press freedom will be a common, recurring theme
Our 5-Year Geminispace Anniversary is Coming Up
I still remember when Gemini Protocol was quite new
It's Right to Point Out Violence From the Right
Violence is a recurring theme
Tentative Summary of Things to Publish in Project 2030
I'll still be in my forties by then
Web Browsers That "Do Hey Hi" (AI)
State-of-the-art plagiarism or "autocomplete on steroids" (not coined by us, nevertheless a nice description) don't have much/any prospect
Links 20/09/2025: Hardware Projects in View, Some Independent Publishers About Russia Prosper After Cheeto Cuts Funding
Links for the day
Gemini Links 20/09/2025: Options and TV Time Machine
Links for the day
Links 20/09/2025: Retrocomputer, Antique Phone Experience, and More
Links for the day
Links 20/09/2025: Internet Shutdowns, Media Censorship, and Climate Worries
Links for the day
About 700 New Gemini Capsules in 13 Months (or 54 Per Month)
4.8K would represent a 20% increase
Rust People: Drain the Swap, You're Holding It Wrong
Does Rust make sense?
Techrights the Name Turns 15
About 6 weeks from now we turn 19
Microsoft is Running Out of Time and Floating Fake Figures, Fake Projects, Fake Narratives, Fake Excuses
Also, a lot of Microsoft's "revenue" claims are circular financing (i.e. Microsoft buying from itself, which means Ponzi-like fraud)
Slopwatch: LinuxSecurity, linuxconfig.org, and Plagiarised Phoronix
Many articles out there are nowadays fake
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, September 19, 2025
IRC logs for Friday, September 19, 2025
Gemini Links 20/09/2025: Navigating the Pressures of Modern Life and SpellBinding Accidentally Wrote Another Gemini Server
Links for the day