Summary: Some privacy takeaways from the analysis of Bretton Woods Law (commissioned by EPO staff) and more examples of serious privacy violations inside the European Patent Office

PRIVACY is significantly eroded by authoritarian regimes for the purpose of crushing dissent and the European Patent Office (EPO) is no exception. Eponia is highly authoritarian and it even hired autocrats like Željko Topić for top positions. A lot of the illegal surveillance inside the EPO began or culminated around the time people were chatting about criminal charges against him (for sure a story worth telling one day).

A letter was sent to Heiko Maas, Federal Minister of Justice and Consumer Protection in Germany, just over a couple of months ago. "A SUEPO lawyer addressed Heiko Maas and informed him of the latest reforms and developments at the EPO," explained an insider. Suffice to say, Maas has done virtually nothing (he has a reputation for this in Germany), but let's assess the privacy violations based on another legal office. A few days ago we saw the following new comment in IP Kat:

The EU data protection Regulation does not apply everywhere in Europe. For example, the European Patent Organisation (EPO) has its own data protection Regulation.

The document “BREACHES OF BASIC AND FUNDAMENTAL RIGHTS AT THE EPO” by Bretton Woods Law (Specialists in Public International Law) explains (from page 17 to 23) why the EPO data protection regulation fails to meet the standards of both EU data protection law and the national data protection laws of the Contracting States.

https://www.suepo.org/documents/43577/55400.pdf

Summary of deficiencies in the current EPO data protection framework:

- Fundamental rights: The reference to the respect of fundamental rights had been removed from the EPO data protection regulation (page 18).

- Lack of independent oversight: At the EPO there is no independent supervisory authority. The EPO president supervises himself the data processing he has implemented. (page 21)

- Change of purpose: The EPO data protection regulation allows the EPO President unilaterally to decide that data may be processed for purposes other than those for which they have been collected.(page 21)

- Transmission to recipients outside the European Patent Organisation: The EPO President may authorise a transfer or a set of transfers of personal data to a third country or international organisation which does not ensure an adequate level of protection.(page 21)

- Lack of any effective means of redress in circumstances where the rights of data subjects are infringed (see pages 22 and 23 - the intervention by the German data protection authorities).

Conclusion: A wide range of personal data from both patent applicants and EPO staff are processed at the EPO. The situation at the EPO falls far below the standards expected and the rights enjoyed by citizens in the rest of Europe.

The above reminded us of what the EPO does with Europatis -- a scandal which we covered here last year in the following articles:

1. Jacques Michel (Former EPO VP1), Benoît Battistelli's EPO, and the Leak of Internal Staff Data to Michel's Private Venture
2. Europatis: “Turnover of €211,800 and Zero Employees”
3. Loose Data 'Protection' and Likely Privacy Infringements at the EPO: Here's Who Gets Employees' Internal Data
4. Summary of the EPO-Europatis Series
5. Revolving Doors of High-Level EPO Management: Jacques Michel and the Questel Deal With the EPO

Privacy violations are so serious inside the EPO that detailed accounts of mock trials or investigations are being 'leaked' by EPO management to the media, in order to essentially defame the accused (a judge in one case). One of the reasons for strong data protection around one's medical record is the potential for blackmail and discrimination. In light of this we're reminded of a document we saw several months ago (it's a letter to Mr. Topić actually). It spoke about the unacceptable state of medical data protection at the EPO (it would be totally unthinkable at the USPTO). Here is the complete text

European Patent Office | 80298 MUNICH | GERMANY

Mr Željko Topic Vice President DG4

R. 707

European Patent Office 80298 Munich Germany Central Staff Committee Comité central du personnel Zentraler Personalausschuss Tel. +49 -89- 2399 - 4355 +43 -1-52126 - 305 +49 -30-25901 - 800 +31 -70-340 - 2028 centralSTCOM@epo.org Reference: sc16075cl –0.3.1/4.3 Date: 14.04.2016

Nomination of Ms R. de Greiff as Director Health and Safety

Dear Mr Topic,

On 24 March 2016 you announced on the Intranet the appointment of Ms Raffaella de Greiff as new Director Health and Safety with effect from 1 April 2016, this after serving as ad interim Director of one of the two EPO medical departments since Dr Koopman retired almost two years ago.

Ms de Greiff has a degree in “industrial relations” but no medical qualification. A non-medical person can manage a medical unit, but normally only subject to certain strict requirements:

● medical confidentiality is respected; ● non-medically qualified managers do not have access to any medical information; ● medical files and H&S staff when handling such files remain under the direct supervision of medical doctors; ● medical doctors remain free to carry out their medical duties without interference from managers in medical issues.

So far, the Office has not introduced any such formal guarantees and safeguards.

We refer in particular to the Gazette of January 2016, page 20, which includes a diagram showing that the units that administer such medical files (“Medical advisory and general administration” and “Occupational health and safety”) are under the direct authority of the Health & Safety Director and not of the medical doctors (medical advisor or OH physician), who instead appear to enjoy a consultancy role. The whole Health & Safety department led by Ms de Greiff is in turn under the authority of Ms Bergot (PD Human Resources). This new structure is problematic in several respects.

---

Firstly, Ms de Greiff is neither bound to nor protected by the Hippocratic Oath. If Ms Bergot, as her superior, demanded access to information from the medical file of a staff member (be it a MAU or an OH file), then Ms de Greiff would not have the authority to refuse such an order; neither would she be able to intervene if PD43 were to obtain medical information by other means.

In other words, the strict confidentiality of staff medical files kept in the EPO can no longer be guaranteed.

Secondly, medical doctors are responsible for ensuring the confidentiality of any and all medical data in their possession. If it cannot be guaranteed that non-medical personnel will not have access to medical information, then medical ethics oblige the doctors not to enter or amend any staff data, collected either by themselves or by external doctors working for the EPO, in the EPO medical databases. If they did nonetheless, they would risk losing their medical license.

Under such circumstances, it is unclear how the EPO medical department is supposed to function properly.

Thirdly, we have already raised a number of questions concerning the MAU which to date have never been answered. With the new structure, similar concerns now also apply to the former Occupational Health Department.

We respectfully request you to acknowledge receipt of the above observations and take a position on them.

Yours sincerely, The Central Staff Committee cc.: Mr B. Battistelli; President of the EPO Ms Dr Bosch and Mr Dr Schüder Ms R. de Greiff Ms E. Bergot

This medical data protection letter, contained in the original PDF, has the signatures of many staff representatives, not just SUEPO representatives. This is an important letter regarding a serious problem which is widely known about (word of mouth and more). When will the EPO realise that this is totally unacceptable in the 21^st century? In this particular case the abuse of privacy of staff cannot even be excused/justified using a war on unions/dissent/whistleblowers. It's just an authoritarian regime's dream. ⬆