Bonum Certa Men Certa

EPO and Microsoft Collude to Break the Law -- Part IX: Know Your Vendor…

Previous parts:



A big brother-like spy
The never-ending saga of Microsoft's run-ins with European data protection authorities



Summary: Microsoft is one of the world's worst offenders when it comes to privacy, but vendor assessment by the EPO conveniently overlooks the law

Even before GDPR came into effect in May 2018, data protection regulators in some European countries were starting to have their doubts about whether Microsoft's flagship product, its Windows operating system, was compliant with European data protection standards.



The first national authority to kick into action was the French National Data Protection Commission (CNIL).

Following an investigation which concluded in June 2016, CNIL issued Microsoft with a formal notice to comply with French data protection regulations. CNIL also ruled that the decision should be made public, given the scale of the violations in question.

"Following an investigation which concluded in June 2016, CNIL issued Microsoft with a formal notice to comply with French data protection regulations. CNIL also ruled that the decision should be made public, given the scale of the violations in question."No fewer than six violations of the French Data Protection Act were identified by CNIL, including continued transfer of data based on Safe Harbor principles despite the fact that the Safe Harbour Agreement had been invalidated by the CJEU in October 2015.

Microsoft was given three months – until 30 September 2016 – to end the identified violations of French Data Protection law or else face the prospect of a fine of up to €150,000.

In June 2017, it was reported that Microsoft had scaled back the volume of data it collected from Windows 10 PCs by "almost half". This led CNIL to announce that Windows 10 was no longer in breach of the country's data protection laws and that it had decided to close the case.

But that was only the first chapter in the never-ending saga of Microsoft's run-ins with European data protection authorities.

"Microsoft was given three months – until 30 September 2016 – to end the identified violations of French Data Protection law or else face the prospect of a fine of up to €150,000."A few months later in October 2017, it was reported that the Dutch data protection authority (Autoriteit Persoonsgegevens) had come to the conclusion that Microsoft was in breach of Dutch data protection law due to the way it processed the personal data of Windows 10 users.

According to the Dutch data watchdog, Microsoft made it impossible for users to give their valid consent to their personal data being processed due to the multiple ways in which that data might subsequently be used.

The Dutch regulator noted that Microsoft had promised to end its "violations", but warned that a failure to do so could lead it to impose a sanction.

After some back and forth with the regulator, Microsoft submitted a revised version of its software in April 2018. However, in the course of testing the revised version the Dutch agency found fresh grounds for concern, discovering what it called in a press release "new, potentially unlawful, instances of personal data processing".

"After some back and forth with the regulator, Microsoft submitted a revised version of its software in April 2018. However, in the course of testing the revised version the Dutch agency found fresh grounds for concern, discovering what it called in a press release "new, potentially unlawful, instances of personal data processing"."In the meantime GDPR had entered into force, and this led the Dutch data protection authority to refer its concerns to the competent lead EU privacy regulator under the new regulations. This was the national data protection authority where Microsoft's regional HQ for the EU is located, namely the Irish Data Protection Commission.

And so the seriously under-resourced Irish DPC added the Microsoft GDPR non-compliance case to an already long list of files concerning the cross-border data processing activities of multiple tech giants which had accumulated on its docket since the GDPR came into force in May 2018.

According to the most recently available reports from May 2020 the Microsoft case is still pending before the Irish Data Protection Commission.

The situation in the Netherlands became even hotter for Microsoft with the decision of the Dutch Ministry of Justice and Security in 2018 to commission a Data Protection Impact Assessment (DPIA) to be carried out on a range of Microsoft products, including Office 365.

"The situation in the Netherlands became even hotter for Microsoft with the decision of the Dutch Ministry of Justice and Security in 2018 to commission a Data Protection Impact Assessment (DPIA) to be carried out on a range of Microsoft products, including Office 365."The DPIA was commissioned because this was a clear-cut case of data processing on a large scale (by 300,000 government employees) which involved personal data, including data that could be potentially used to track the activities of employees.

The aim of the exercise was to assess the extent to which Microsoft's Office Online and the Mobile Office Apps could be deployed in a GDPR-compliant manner by Dutch government organisations.

The scope of the investigation included the five most commonly used Office 365 applications – Word, PowerPoint, Outlook, Excel and Microsoft Teams – in Office Online and the Mobile Office apps, in combination with the use of cloud storage services.

The final report [PDF], which was published in November 2018, identified a number of serious data protection risks, in particular the following:

● Loss of control over the use of personal data; ● Loss of confidentiality; ● Inability to exercise rights; ● Re-identification of pseudonymised data; ● Unlawful (further) processing.

It was noted that effective risk mitigation was outside of the users' control and could only be carried out by Microsoft.

"It was noted that effective risk mitigation was outside of the users' control and could only be carried out by Microsoft."The investigation found an unacceptable lack of control by users over the processing of personal data by Office 365 mobile applications. Because of this government organisations were advised to create policies for their employees stating that they were not to use mobile Office 365 applications.

As we shall see in the next part, the investigation by the Dutch authorities into the GDPR-compliance of Microsoft products prompted the European Data Protection Supervisor to announce its own investigation into Microsoft products used by EU institutions.

Recent Techrights' Posts

Gemini Links 03/10/2024: RetroChallenge and Change of Online Habits
Links for the day
Links 03/10/2024: Quantum Computer Vapourware (as Usual) and Samsung Layoffs
Links for the day
Links 03/10/2024: "Hey Hi" Scandals and Copyright/Trademark Disputes
Links for the day
Invidious Seems to be Nearing 'End of Life' After Repeated Crackdowns by Google/Alphabet/YouTube
To Free software users, YouTube ought to become a "no-no"
Links 03/10/2024: Climate Issues and Tensions in East Asia
Links for the day
Like a Marketing Department of Microsoft, Canonical Sells Back Doors and Surveillance as "Confidential" and "Hey Hi" (AI)
Notice how Canonical has made no statement critical of Microsoft for years
Gemini Links 03/10/2024: Frozen Tofu and SGI O2
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, October 02, 2024
IRC logs for Wednesday, October 02, 2024
Links 02/10/2024: Microsoft Spying on Windows Users Grows, Microsoft's Surveillance Arm LinkedIn Used to Highlight Employment Crisis
Links for the day
Links 02/10/2024: Students Who Can’t Read Books and Dead Butt Syndrome
Links for the day
Gemini Links 02/10/2024: GNU/Linux Distros, Flat-File Databases, and How the Web ate Gopher
Links for the day
Technology: rights or responsibilities? - Part II
By Dr. Andy Farnell
A Cost-Free Bribe From Microsoft
Daniel Stenberg is not dumb, but he seems rather gullible or unprincipled
Plans for the Site's 19th Year
Like TechDirt, we expect to devote more efforts/time to covering free speech online
Network Getting Faster
Loading up the site in 0.077 seconds
The Manchester Experience
Yesterday Tux Machines served 436,897 Web hits
If Red Hat Has Mass Layoffs This Year, Nobody Will Tell You About It
We seem to have entered a strange quasi-cosmic era wherein layoffs aren't disclosed anymore and news sites don't bother to report them, either
IBM, Kyndryl, Subsidiaries (Like Red Hat) and Silent Layoffs
Kyndryl follows in IBM's footsteps with rolling layoffs likely affecting thousands
Anniversaries and New Beginnings
The world needs more transparency and far less secrecy
Links 02/10/2024: Microsoft Kills Off HoloLens, Media Discusses Assange Speech
Links for the day
Gemini Links 02/10/2024: New Car, Broadband, and Gemtexter 3.0.0
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, October 01, 2024
IRC logs for Tuesday, October 01, 2024
[Meme] October 1st: The Day Julian Assange 'Officially Came Back'
Assange: See you in Strasbourg in 5 years
Full Transcript of Julian Assange's Speech in Strasbourg
the full thing
The Full Talk by Julian Assange Including Questions and Answers Discussed Further (October 1st 2024, Council of Europe Committee Legal Affairs)
Wikileaks covered this talk in "tweets"
Julian Assange's First Publicly Delivered Talk Since 2019
Julian Assange's talk in France
Links 01/10/2024: Another Escalation in the Middle East, Software Patents Being Squashed
Links for the day
Microsoft's Collapse is Continuing
Microsoft is discontinuing its HoloLens headsets
Links 01/10/2024: Gavin Newsom's Tech Safety Legislation, YouTube Sued for Health Harms
Links for the day
Gemini Links 01/10/2024: ROOPHLOCH and Photos
Links for the day
Julian Assange Talk: Watch Live
2 hours from now
"IBM executives did not decide to buy Red Hat on their own, nor will they decide to sell Red Hat on their own should that time ever arise"
Since IBM bought Red Hat it merely made its products more proprietary
GNU/Linux and Android Rose to New Highs in September
StatCounter isn't the ground truth, but there's not much else in the public domain.
Links 01/10/2024: Climate Stories, Climate Change, and War in Lebanon
Links for the day
Gemini Links 01/10/2024: Separation, Validation, and Flatfile Databases
Links for the day
Blind Worship of Technology is a Misguided Fool's Errand
Andy Farnell of the Cybershow used the metaphor of "golden calf" last week
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, September 30, 2024
IRC logs for Monday, September 30, 2024