As is well known, the EPO made headlines in Germany in June 2015 following revelations about covert surveillance conducted by the Benoît Battistelli's notorious "Investigative Unit" which was reported to have deployed hidden cameras and key loggers in a manner that would have been illegal under EU and national data protection law in Germany.
"Media reports about the EPO spy-scandal persuaded Ms Voßhoff to dust off the EPO file and renew her efforts to have this rogue organisation called to account by the Federal German authorities."In July 2015, Ms Voßhoff proceeded to write to Ms Renate Kunast, the Chairperson of the Legal Affairs Committee of the German Federal Parliament (the "Bundestag") to bring her concerns to the attention of German parliamentarians.
The text of Ms Voßhoff's letter [PDF] reads as follows (in translation):
I was made aware of the issue of the lack of independent external data protection supervision of the European Patent Office (EPO) by the Bavarian State Commissioner for Data Protection.
My efforts to improve data protection supervision at the EPO have so far been have so far been unsuccessful.
I would therefore like to draw the attention of the German Bundestag to the problem.
The European Patent Office is an organ of the European Patent Organisation (EPO) established by the European Patent Convention (EPC) and endowed with legal personality. It is therefore a supranational institution based on an international treaty with its headquarters in Munich and offices in The Hague, Berlin, Vienna and Brussels. Vienna and Brussels with about 6,800 employees. The contracting states are 38 European countries, including all EU member states.
The legal nature of the EPO means that there is no data protection supervision by an independent external body. Neither the Bavarian State Commissioner for Data Protection nor I can derive any competence from state or federal data protection law. The EPO is neither a public body of the State of Bavaria nor of the Federal Republic of Germany. The European Data Protection Supervisor is also ruled out as an independent supervisory body, as the EPO is neither an institution nor a body of the European Union.
Even if, according to the EPO's internal data protection officer, internal data protection regulations have been in place at the EPO since 1992, in particular based on the Data Protection Directive 95/46 EC, a lack of independent external data protection supervision is also taken as given from the EPO perspective.
In the interest of safeguarding the data protection rights of those affected, I have contacted the responsible Federal Ministry of Justice and Consumer Protection (BMJV) with the request to examine measures to close this supervisory and oversight gap, for example by means of a corresponding amendment to the EPC.
The BMJV has not yet taken up this suggestion. It refers to the necessity of a diplomatic conference of all 38 contracting states of the EPC for such an institutional reform of the EPC. This time-consuming procedure would not permit an amendment in the short term.
However, the Federal Ministry of Justice gives an assurance that it will continue to advocate, within the scope of its possibilities, compliance with and further development of high data protection standards and an independent data protection structure in its committee work within the EPO.
Although I have some understanding for the BMJV's position, the permanent absence of an independent external supervisory authority for data protection matters nevertheless poses a risk - that should not be underestimated - to the fundamental right to informational self-determination of the persons concerned given the processing of a large amount of personal data of applicants and staff at the EPO.
This risk is rendered apparent by a case that has now received press coverage. In an article dated 8 June 2015 (see attachment), the Süddeutsche Zeitung reported allegations that two publicly accessible computers at the EPO were placed under surveillance with so-called keyloggers and video cameras without the persons concerned being informed. Due to the current legal situation, no independent data protection supervisory authority can investigate these allegations.
Moreover, those potentially affected, in particular members of the Administrative Council, patent attorneys, employees and visitors to the EPO, lack any possibility of turning to an independent body capable of enforcing their rights to informational self-determination.
In view of the prevailing factual and legal situation, I would be grateful if the Legal Affairs Committee would address the issue in a supportive manner.
[PDF].
"As far as can be determined from the available evidence, the authors of this intrigue were the duplicitous Tweedledum and Tweedledee duo of the EPOââ¬âFederal Justice Ministry nexus, Raimund Lutz and Christoph Ernst."However, as we shall see in due course, Ms Voßhoff's efforts to have the deficiencies in the EPO's data protection framework subjected to meaningful parliamentary scrutiny were derailed by what appears to have been a nefarious behind-the-scenes intrigue.
As far as can be determined from the available evidence, the authors of this intrigue were the duplicitous Tweedledum and Tweedledee duo of the EPOââ¬âFederal Justice Ministry nexus, Raimund Lutz and Christoph Ernst.
Before delving into the details of the intrigue which derailed Ms Voßhoff's initiative, we will make a detour to look more closely at these two individuals and their respective roles in EPO affairs over the last two decades. ⬆