Previous parts:

• introduction to Part I
• YOU ARE HERE ☞ Enter the “Cloud of Unknowing…”

According to Thomas Petri, Bavarian Data Protection Commissioner "nobody is really in charge" when it comes to data protection matters at the EPO

Summary: The first part of an important series; historically, EPO has always sent out aggressive lawyers to issue threats when we exposed EPO-Microsoft collusion

THIS Part I isn't the same as the introduction to Part I. This is the body of the long story, which will be told responsibly and prudently for the coming fortnight, several times per day. Without further ado, and in spite of suppression attempts, we start this series.

---

Back in June 2015, it was reported that the Bavarian Data Protection Commissioner, Dr Thomas Petri, and the Federal German Data Protection Commissioner, Andrea Vosshoff, had raised serious concerns about the state of data protection at the EPO.

According to the German press, Dr Petri had previously investigated the data protection framework at the EPO in the spring of 2014 following a complaint and he had come to the conclusion that it was seriously deficient.

Referring to the lack of any genuine independent oversight in data protection matters, Dr Petri stated: "It emerged that nobody was really in charge".

"An optimist might like to believe that things have surely improved since then. Unfortunately there is no evidence of this."He called for an external data protection supervisor to be assigned to the EPO because the internal inspectors were not independent enough and "in the absence of any action matters are likely to get out of hand".

An optimist might like to believe that things have surely improved since then. Unfortunately there is no evidence of this.

In the meantime the EPO seems to have just muddled along relying on its traditional "three monkeys" approach to "rebutting" external criticism of its data protection framework.

The EPO's approach to "rebutting" criticism of its data protection framework: See no evil – hear no evil – speak no evil

For example, when the EU General Data Protection Regulation (GDPR) came into effect in May 2018 during the final days of the Benoît Battistelli régime, the EPO's response was to issue a self-serving communiqué (warning: epo.org link) proclaiming its commitment to "ensuring the highest level of data protection" and announcing that "a recent audit report has confirmed a close alignment with the GDPR legal framework".

"The reader is expected to take the EPO's claim at face value despite the fact that it is scarcely credible that an independent external audit could have arrived at such a conclusion."Of course no substantive information about the "recent audit report" was provided.

The reader is expected to take the EPO's claim at face value despite the fact that it is scarcely credible that an independent external audit could have arrived at such a conclusion.

If Dr Petri was of the considered opinion that the EPO's data protection framework was deficient when measured against pre-GDPR data protection standards, then it's difficult to see how the same framework which hadn't changed in the meantime could be considered meet the even more stringent data protection standards imposed by GDPR.

As a matter of fact, a report commissioned by the EPO staff union SUEPO from external legal experts in 2016 confirmed that the EPO's data protection framework was not compliant with EU data protection standards and was in urgent need of a radical overhaul.

But it's necessary to understand that we are dealing here with the logic of the "système Battistelli".

"Perish the thought that someone could be so impudent as to call for an independent audit…"If Battistelli insists that the EPO's data protection framework is GDPR-compliant, well then it has to be. Anybody who dares to question that claim had better watch out! Perish the thought that someone could be so impudent as to call for an independent audit…

And it would be a grave mistake to think that things have improved on this front following Battistelli's departure.

More recently in September 2020, the EPO published a notice on the topic of "Data privacy policy for the processing of personal data in Microsoft 365".

Once again the reader is assured:

"The protection of your privacy is of the utmost importance to the European Patent Office (EPO). We are committed to respecting and protecting your personal data and ensuring your rights as a data subject. All data of a personal nature (i.e. data that can identify you directly or indirectly) will be processed fairly, lawfully and with due care."

For good measure the well-rehearsed schtick about GDPR-compliance is trotted out:

"We strive to keep our data protection framework in line with current best practices. A recent audit report has confirmed that it is in close alignment with the EU’s General Data Protection Regulation (GDPR)."

But where is this mysterious "recent audit report"?

Is it the same one that Battistelli referred to over two years previously back in May 2018?

"But where is this mysterious "recent audit report"?"Of course you're not supposed to ask and if you have the temerity to do so, then you'd better not hold your breath waiting for an answer.

But when you peel away the PR façade, what the public notice of September 2020 does provide in terms of factual evidence is an irrefutable indication of the increasing reliance of the EPO on cloud computing services hosted by Microsoft.

In the next part we will see how this was confirmed by a recent internal communiqué from EPO Vice-President Steve Rowan (warning: epo.org link), formerly Director of Patents, Trade Marks, Designs and Tribunals at the UKIPO. ⬆