Bonum Certa Men Certa

EPO and Microsoft Collude to Break the Law -- Part X: The Spectre of GDPR…

Previous parts:



GDPR and Microsoft
More about Microsoft's run-ins with European data protection authorities



Summary: António Campinos and his friends may have put the EPO in legal "hot water", having already outsourced EPO data to a serial GDPR violator with a notorious track record in other aspects, too

In April 2019 it was reported that "the Spectre of GDPR" continued to haunt the hallowed halls of Redmond, this time in the shape of an investigation ordered by the EU Data Protection Supervisor (EDPS) into Microsoft products used by EU institutions.



The move by the EDPS was prompted by the outcome of the Data Protection Impact Assessment which had been commissioned by the Dutch Ministry of Justice and Security in 2018.

"The move by the EDPS was prompted by the outcome of the Data Protection Impact Assessment which had been commissioned by the Dutch Ministry of Justice and Security in 2018."The EDPS noted that any EU institutions using the applications investigated by the Dutch authorities would face similar issues including "increased risks to the rights and freedoms of individuals".

The report of the EDPS on the "Outcome of own-initiative investigation into EU institutions’ use of Microsoft products and services" was published on 2 July 2020.

The EDPS identified a number of serious issues calling for further action, including the following:

● The licensing agreement between Microsoft and the EU institutions was formulated in loose manner that effectively permitted Microsoft to act as a data controller which the EDPS found inappropriate.

● The lack of control by EU institutions over which sub-processors Microsoft used and the lack of meaningful audit rights presented significant issues which needed to be addressed.

● EU institutions were unable to control the location of a large portion of the data processed by Microsoft. Nor did they properly control what was transferred out of the EU/EEA and how. There was also a lack of proper safeguards to protect data that left the EU/EEA.

● EU institutions had few guarantees at their disposal to defend their privileges and immunities and to ensure that Microsoft would only disclose personal data insofar as permitted by EU law.

According to the EDPS, the EU institutions lacked sufficient clarity as to the nature, scope and purposes of the data processing carried out by Microsoft and the risks to data subjects for the purpose of complying with their transparency obligations towards data subjects.

The EDPS recommended that all EU institutions perform tests using a revised and comprehensive approach in order to monitor and stem the flow of personal data generated by Microsoft products and services and sent to Microsoft.

"The EDPS recommended that all EU institutions perform tests using a revised and comprehensive approach in order to monitor and stem the flow of personal data generated by Microsoft products and services and sent to Microsoft."It remains to be seen whether or not the EDPS' beef with Microsoft will be resolved in an amicable manner or whether it will result in the imposition of GDPR fines which, in serious cases, can be as much as 4% of a company's worldwide annual revenue.

Microsoft has also had its fair share of grief with the data protection authorities in the EPO's main host country, Germany.

Back in July 2019 it was reported that the data protection authority in the state of Hesse had issued a ruling that Microsoft’s Office 365 could no longer be used by schools following the closure of a German data centre which had been used by Microsoft to provide cloud services.

This ruling came after several years of domestic debate about whether German schools and other state institutions should be using Microsoft software at all.

To allay German privacy concerns, Microsoft had invested millions in a German cloud service, and in 2017 Hesse authorities agreed that local schools could use Office 365 as long as German data remained in the country. But in August 2018 Microsoft decided to shut down the German service which meant that, once again, data from local Office 365 users would be transmitted across the Atlantic.

"...in August 2018 Microsoft decided to shut down the German service which meant that, once again, data from local Office 365 users would be transmitted across the Atlantic."In view of the changed circumstances, the data protection commissioner decided that there was now an unacceptable risk that users' data could be accessed by US authorities.

More recently, in October 2020, it was reported that at the Conference of German Federal and State Data Protection Supervisory Authorities, a majority of Germany's regional data protection commissioners supported a finding that Microsoft Office 365 did not comply with GDPR standards. They also made clear that changes were urgently needed to comply with the CJEU Schrems II judgment on cross-border data transfers.

Once again, it's too early to say whether this matter will be resolved in an amicable manner or whether it will result in the imposition of GDPR fines.

However, for some time now German lawyers have been warning their clients about the potential financial risks of using non-GDPR compliant software, including many widely used Microsoft products.

For example, one Hamburg-based law firm published the following advice in July 2020:

"...for some time now German lawyers have been warning their clients about the potential financial risks of using non-GDPR compliant software, including many widely used Microsoft products.""Using MS-Teams, Skype and other Office 365 services violates data protection law and may result in million Euro fines. That’s the conclusion of two papers recently issued by the Berlin Commissioner for Data Protection and Freedom of Information. There is urgent need for action in many companies now."

Time will tell whether or not such warnings are justified. However, based on past experience Microsoft is unlikely to be given an easy ride by the German and other European data protection authorities and this may well have some unpleasant fallout for commercial users of its services and products.

In the meantime German scepticism about Microsoft has surfaced in the European Parliament.

In February 2020, Klaus Buchner - a university professor, physicist, and MEP for the green-conservative Ecological Democratic Party - submitted the following question to the EU Commission:

Subject: Microsoft Windows 10 in European local authorities

IT is part of our critical infrastructure, and in European local authorities as well IT means Microsoft Windows and Microsoft Office. It is as if European drivers could only buy cars made by one US manufacturer. As a result, European local authorities and European industry are totally dependent on a foreign monopoly supplier and are required to kow-tow to a foreign legal system and comply with foreign court judgments, which apply to Microsoft in the EU as well. To make matters worse, Windows 10 systematically transmits personal data to Microsoft. Little is known about how that data is used. The upshot is that local authorities may find themselves facing legal action for breaches of the data protection rules and the German Industrial Constitution Law. Background: ‘[...] The Data Protection Officers of the Federal Government and the Länder see little scope for using Microsoft’s Windows 10 operating system in accordance with the law […]’

Instead, standard programmes could be developed at EU level and made available to local authorities free of charge. This standard software could also be hosted in regional data centres in the EU and interested local authorities could transfer their IT operations to those centres. Of course, each local authority would be required to tailor the standard programmes to local needs and operate them independently, either from their own data centres or in an EU cloud.

1. Are there alternatives to monopoly costs and data protection problems? 2. Does the Commission see any scope for offering greater support for the use of free openware such as Linux and OpenOffice / LibreOffice?


The answer which came back from EU Commissioner Thierry Breton was for the most part the usual hot air which didn't really address the elephant in the room.

"In the meantime German scepticism about Microsoft has surfaced in the European Parliament."However, Breton took advantage of the opportunity to plug the Commission's ongoing efforts to promote an "EU cloud initiative" which would "offer credible European alternatives to non-EU providers".

And with that, we conclude our potted history of Microsoft's long-running and continuing problems with European data protection authorities.

In the next part we will take a look at some "close encounters" between the software behemoth of Redmond and other regulatory authorities, in particular the trust-busters on both sides of the Atlantic.

Recent Techrights' Posts

EFF Celebrates Microsoft Windows and Microsoft Office as "Digital Inclusion", Mocks GNU/Linux-Based ChromeOS
Yet another example/evidence that EFF has become a rotten pile of junk
 
[Meme] How to Keep Granting Hundreds of Thousands of Fake Patents (Without Upsetting Anybody in Politics and Media)
This is very Kremlin-like
EPO Examiners to Adopt Resolution Condemning EPO Management for Breaking the Law in Order to Grant Many Illegal Software Patents
Europe's second-largest institution (EPO) is a law-breaking institution hiding behind the veil of "law"
[Meme] Sup, Nazi?
"Come back, one year"
Calling "Nazi" and "Right Wing" Everyone Who Does Not Agree With You (Even Leftists Whose Views on Some Issues Slightly Differ From Yours)
Oil money has become exceptionally notorious for takeover of online platforms and institutions/NGOs (using them to incite society inwards, not upwards)
EFF Losing the Plot
Like the Linux Foundation and OSI, the EFF has succumbed to corporate influence and is derailing itself (along with its original mission)
Links 05/10/2024: Patents Being Squashed, EFF Insists on Children's Access to Porn
Links for the day
Gemini Links 05/10/2024: Multitudinous Agreeable Futures and Misfin Mail
Links for the day
Links 05/10/2024: Amazon Culling 14,000 Managers, About 160 People Resign From Automattic
Links for the day
Microsoft Moles in Nerdearla, Openwashing and Whitewashing Microsoft With Its Latest Ponzi Scheme and Storytelling
Also GPL violations en masse
The Danger of Outsourcing Your Platform to Social Control Media and Getting "Information" There
Stella is probably not aware of what she has just done
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, October 04, 2024
IRC logs for Friday, October 04, 2024
Links 05/10/2024: Shift to ARM, Microsoft XBox Crisis
Links for the day
[Meme] Who to Trust on Privacy... (Not Someone Who Boasts About Breaking Into Devices Without Authorisation)
You're not even a computer scientist...
When It Comes to Encryption, The Web (as in World Wide Web) Isn't Secure and Uses Weak Ciphers About as Often as Every Day, Even in 2024
Gemini Protocol does not
The GPL Does Not Prohibit Use of Code for Death
Windows kills even more people, but in other ways
Journalism in Europe on Life Support
Assange articulated some of the ordeals he went through
[Video] Stella Assange and Thórhildur Sunna Ævarsdóttir on Protecting Journalists Who Expose Injustice
Stella (the wife) says her husband received an invitation from the committee (PACE) while he still undergoes recovery
[Video] Thórhildur Sunna Ævarsdóttir (Iceland, SOC) Explains That Julian Assange Was Punished for Exposing Crimes (Instead of the Criminals Getting Published)
Thórhildur Sunna Ævarsdóttir speaks out...
Links 04/10/2024: Health, Asia, and Censorship
Links for the day
Links 04/10/2024: Ingrid's Back and Creative Mornings
Links for the day
[Video] The Council of Europe's Parliamentary Assembly on Julian Assange
The Council of Europe's Parliamentary Assembly has voted to confirm that Julian Assange was held as a political prisoner
Links 04/10/2024: Telegram Issues Deepen, Texas Sues TikTok
Links for the day
"The Council of Europe's Parliamentary Assembly has voted to confirm that Julian Assange was held as a political prisoner."
This stuff should not have been in Twitter (X)
Intercontinental Ballistic Missiles (ICBMs) Do Not Run Windows
The projects that deal with ICBMs are extremely unlikely to involve Microsoft
"Microsoft is asking for a handout... yet again"
Just over a month after the last bailout fell through the cracks
One Step Closer to the End of Microsoft's XBox
XBox sales are down over 50% in the past year
GNU/Linux Flaring Up in ASEAN
We said we'd not post statCounter for a few months
Gemini Links 04/10/2024: Asteroid City and Retro Gaming
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, October 03, 2024
IRC logs for Thursday, October 03, 2024
Resting Time
we deserve a short break - even if only for tomorrow
Wikileaks Revelations About the History of IBM and Its Role in the Cold War
IBM is still an ICBM company (to this very date)
Revisiting Julian Assange's Excellent Talk, His First Talk Since 2019 (Tactful and Almost Invulnerable to 'Cheap Shots')
Assange need not be politically-correct or self-censor
Windows Kills More Than Most Wars (But the Media Casually Ignores the Death Toll of Microsoft)
The bottom line is, many people are dying, they die due to Microsoft, and the media fails us by not informing us and failing to even name the principal culprit
Mozilla is GAFAM, HTTPS is Monopolies
Firefox used to boast that it would make the Web more accessible. Today's Mozilla is rowing in the opposite direction.
Gemini Links 03/10/2024: RetroChallenge and Change of Online Habits
Links for the day
Links 03/10/2024: Quantum Computer Vapourware (as Usual) and Samsung Layoffs
Links for the day
Links 03/10/2024: "Hey Hi" Scandals and Copyright/Trademark Disputes
Links for the day
Invidious Seems to be Nearing 'End of Life' After Repeated Crackdowns by Google/Alphabet/YouTube
To Free software users, YouTube ought to become a "no-no"
Links 03/10/2024: Climate Issues and Tensions in East Asia
Links for the day
Like a Marketing Department of Microsoft, Canonical Sells Back Doors and Surveillance as "Confidential" and "Hey Hi" (AI)
Notice how Canonical has made no statement critical of Microsoft for years
Gemini Links 03/10/2024: Frozen Tofu and SGI O2
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, October 02, 2024
IRC logs for Wednesday, October 02, 2024