CSC members of the GCC wrote a publication to explain the laughable situation (albeit very politely or "diplomatically" as 'suits' like to put it)
The Central Staff Committee (CSC) of the EPO has published a report on the consultative 'meeting' (Webchat or "videoconference") which took place 11 days ago regarding "Data Protection" (the EPO prefers to use this positive-sounding term whilst illegally spying on staff and sending confidential data of applicants to Microsoft/United States). The irony isn't lost either; like ViCo 'courts' dealing with or deciding on ViCo. We now have videoconferences dealing with the legality of surveillance, which certainly these videoconference facilities introduce (the EPO could self-host its videoconferencing, but it probably lacks the technical staff that can configure Free software; good workers have been driven out for years).
Munich,17/12/2021 sc21149cp
GCC meeting on 9 December 2021
Data Protection
Dear Colleagues,
The President convened a one-hour GCC meeting via videoconference in order to deal with documents about data protection, in particular to consult on new Circular 420. The Circular deals with the implementation of Article 25 of the Data Protection Rules, which is about restricting the rights of data subjects (read: employees) in specific cases. The CSC members of the GCC unanimously abstained on the document.
The CSC members of the GCC also gave an opinion (without a vote) on the Rules of Procedure of the Data Protection Board, which will act as an “Appeals Committee” for data protection disputes.
Both opinions are attached to this report.
At the end of the meeting we asked about the President’s intentions with his draft social agenda, in particular the “Review of Leave1”. The President announced that all aspects of leave would be addressed, but with the aim making them fair, transparent, predictable and simple, as always2.
The Central Staff Committee
Annexes: opinions of the CSC members of the GCC
- Circular 420: Implementing Article 25 of the Data Protection Rules (DPR) (document GCC/DOC 26/2021) - Rules of Procedure of the Data Protection Board (document GCC/DOC 27/2021)
_____________ 1 See also our publication “Social Agenda 2022” of 3 December 2021. 2 He made the same promise for the reform of the education benefits.
Annexes
Opinion of the CSC members of the GCC on GCC/DOC 26/2021 Circular 420: Implementing Article 25 of the Data Protection Rules (DPR)
General Remarks
In June 2021, the Administrative Council adopted amendments to the ServRegs and the Implementing Rules for Articles 1b and 32a ServRegs (Protection of personal data and data protection oversight), the “DPR”, with decision CA/D 5/21. The GCC consulted on 2 June 2021 on the corresponding CA document CA/26/21. The opinion1 of the CSC members of the GCC was published with their report on the GCC meeting. Obviously, the main flaws of the regulation remain and cannot be remedied in a lower-ranking Circular No. 420.
Human rights should never be taken for granted. The recent judgments regarding the rights for strike at the EPO provide proof for that. The rights to privacy and protection of personal data are such human rights.
Therefore, the CSC members of the GCC appreciate the efforts of the Office to align with highest standards and best practices in data protection. What are these highest standards? It is the GDPR, the general Data Protection Regulations from the EU, as well as the EUDPR, the regulation on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies, which have been introduced in 2018. These are widely considered the Gold Standard in data protection.
Already in February 2019, so almost three years ago, in a publication 2 Staff Representation denounced that the rights to privacy and protection of personal data of EPO employees and its stakeholders did not correspond to these highest standards. Staff representation asked that:
1. The EPO policies on data protection should be aligned with the EU regulations; 2. The role of the Data Protection Officer should be strengthened, and its independence should be assured; 3. An external and independent oversight body should be appointed with the task of monitoring the application of data protection policies at the EPO; 4. Separate data protection policies should be defined for investigative procedures (e.g., misconduct or fraud). Its implementation should be the responsibility of a distinct Data Protection Officer nominated, e.g., by the Administrative Council.
Although late (almost 3 years after that publication and 4 years after the introduction of the EU regulations, and although not as ambitious as we might have liked, finally the EPO has taken some steps forward. We see that indeed the EPO policies have been aligned with the EU regulations and that we have a Data Protection Officer who is more independent and has more resources.
Still the new framework deviates in some important points from the EUDPR. Indeed, it does not provide the same level of protection afforded to employees in the EU institutions.
The main problem is that the President of the Office is both the controller and the appointing authority for the members of the supposedly independent Data Protection Board (DPB). The task
_____________ 1 Opinion of the CSC members of the GCC on GCC/DOC 5/2021 (CA/26/21 and CA/26/21 Add.1): Modernisation of the Data Protection Framework of the European Patent Office under the Strategic Plan 2023, 10.06.2021, link 2 Data Protection @ EPO, quo vadis?, CSC, 20.02.2019, link
of the Data Protection Board is to check that the controller is doing the right things. The second problem is that the powers of the Data Protection Board are limited: it cannot make binding opinions or impose sanctions. It just provides an opinion which the EPO President (the controller) can follow or not. For further information please refer to the Opinion of the CSC members of the GCC on GCC/DOC 5/20211.
Evidently, the EPO has a specific institutional set-up which differs from that of the EU institutions. However, this does not explain the important deviations from the Data Protection Regulation of the EU on such fundamental points. So, we observe some improvements, but unfortunately no Gold Standard at the EPO on the topic of data protection regulations.
On Circular No.420
One critical provision is Article 25 DPR, which restricts the rights of the data subject. Article 25 DPR essentially corresponds to Article 25 EUDPR. The rights concerned are the rights to information, access, rectification, erasure, restriction of processing, data portability, notification and communication of a personal data breach and confidentiality of electronic communications. The rights which remain untouched are the right to object and the right to be preserved from decisions based solely on automated processing.
In the EU, the restrictions either relate to the Member States, to “dispute” proceedings or exclusively to the internal security of Union institutions and bodies, including of their electronic communications networks (Article 25.(1)(d)).
Whereas the CSC members of the GCC are able to compare the EPO DPR with the EUDPR, they lack information (e.g. benchmarks) allowing them to compare with other international organisations or EU agencies, as regards the implementation of Article 25. They also lack benchmarks on how often these restrictions are applied in other organisations. Data on the past and current practice of imposing such restrictions at the EPO are also not available.
Consultation process
The Circular mentions “extensive consultation with those relevant internal stakeholders over the last few months”. One of the main stakeholders, the representatives of the EPO staff, i.e., its Staff representation was excluded from the task force. A single one-hour ViCo was convened by the DPO for explaining the Circular and for the Staff Representation to give their input. However, IT issues prevented the circular from being available for all staff representatives on time. Due to the very tight time line and the extremely late involvement of the Staff Representation, no replacement ViCo could be convened. The GCC meeting is de facto the first opportunity to discuss the Circular with management. One informal meeting with the DPO took place beforehand.
As to the content
Article 4 provides a list of situations, or legal grounds, in which restrictions to the rights of the data subject are possible. It lists inter alia also internal audits. One can reasonably assume that some right on data protection might have to be temporarily restricted during investigative or disciplinary proceedings. However, in the case of internal audits this is questionable. “Internal audits” is a broad term. It might be that there are some specific internal audits for which such restrictions are
necessary. These specific internal audits should have been listed instead of the broad term “internal audits”.
Restrictions are discretionary acts by a data controller, hence subject to limited review. In reply to a request for review, the (delegated) controller will only inform the requester whether the data have been processed correctly and, if not, whether any necessary corrections have been made3. It is therefore very different from a usual request for review within the meaning of Article 109 ServRegs, which calls for a reasoned decision4. The controller must be able to demonstrate compliance with the DPR, for accountability purposes, but the requester is not informed of that “demonstration”.
The Office might impose restrictions, e.g., as regards confidentiality of electronic communications, in investigations, disciplinary proceedings, appeals proceedings, health-related processes. The grounds for the restriction have to be given, i.e., the “legal basis” for the restriction as listed in Article 4. Reasons for restrictions might remain hidden to the data subject in certain cases5. When it comes to disputes in such cases, the facts available to one party, the Office, shall be made available to the Data Protection Board upon request. The other party, i.e., the staff member, will not necessarily have access to those facts. This jeopardises the right to a “fair trial” before the DPB.
This shows again that these restrictions should be imposed only in very specific and exceptional cases. And this is further proof of the importance of the independence of both the Data Protection Board and the DPO, which is crucial for building trust..
Conclusion
The Office deliberately chooses not to follow the EUDPR, which can be considered the “gold standard”. Even when taking into account the institutional set-up of the Organisation6, the new framework could have been aligned closer to the EUDPR. The main problems are, in particular, that the President of the Office is both the controller and the appointing authority for the members of the DPB and that the DPB cannot make binding opinions.
The new framework will require re-evaluation in a few years, hopefully with a view to coming closer to the EUDPR.
Based on the foregoing, the CSC members of the GCC unanimously abstain on the document.
_____________ 3 Article 25(3)c DPR. 4 Article 109(4) ServRegs: “The competent appointing authority shall take a reasoned decision on the outcome of the review...” 5 See Article 7(4); see also Article 25(3)b. and 25(4) DPR 6 See, e.g., Article 10 EPC
Opinion of the CSC members of the GCC on document GCC/DOC 27/2021: Rules of Procedure of the Data Protection Board
The CSC members of the GCC give the following opinion on document GCC/DOC 27/2021.
Introduction
The Administrative Council (AC) has been informed in June 2021 of the Data Protection Rules (DPR) with document CA/26/21 Add. 1. The AC has adopted the new data protection framework with decision CA/D 5/21.
The Data Protection Board (DPB) has two functions, namely an oversight / advisory function and a function as part of the mechanism for legal redress1. The Rules of Procedure (RoP) of the DPB describe the role and the responsibilities of the DPB, including the procedure for dealing with complaints on data protection issues.
The RoP of the DPB relate to the second function, i.e. dealing with complaints. The DPB will replace the Appeals Committee (ApC) for decisions on data protection issues. The RoP for the DPB resemble the RoP for the ApC. In comparison, they include inter alia additional directions for the Board, e.g. as regards criteria for receivability (Article 5), various constraints on time limits for internal processing, the concrete form of opinions (Article 10), etc. The DPB is composed of members having a recognised technical and/or legal background, especially in data protection matters. One would expect that the DPB would be in a position to sort out such matters in an autonomous manner, i.e., deciding on the RoP themselves without interference by the President of the Office, taking for instance good judicial practice and ILOAT jurisprudence into account.
The RoP of the DPB are adopted by the President of the Office in consultation with the President of the Boards of Appeal. With the GCC document, the President informs the GCC members that he adopts the RoP of the DPB. The role of the DPB is limited to proposing amendments to these RoP, which the President may adopt or reject. The DPO confirmed this in the GCC meeting: the DPO would consider whether the proposed amendments could be taken over. By contrast, the Appeals Committee adopts its own Rules of Procedure (with additional approval from the President of the EPO). The latter is the more appropriate sequence for a body intended to be an independent supervisory.
The general impression is that the DPO is willing to retain control on the procedure, which the DPB is expected to follow, although the DPB is the DPO’s supervisory.
The missing bits: rules for oversight / advisory and whistleblowing functions
The RoP include a general statement as to its role, viz. an expert, reliable and authoritative body in the field of data protection ensuring an appropriately informed decision-making process by the President. However, the rules exclusively relate to its function as a replacement for the ApC for dealing with individual disputes. No rules are set up for its advisory function.
Furthermore, under Article 68 of the EU Regulation, staff members of the EU institutions, bodies and agencies can lodge complaints with the European Data Protection Supervisory
_____________ 1 Article 47 DPR
(EDPS), which roughly corresponds to the DPB, even if they are not personally affected by the alleged breach. This is a whistle-blower provision. The EPO excludes this possibility in Article 3(1): only the data subject whose data protection rights have allegedly been infringed is entitled to lodge a complaint.
This could be explained by external institutional constraints, such as the regulations at ILOAT, if the DPB was regarded exclusively as a replacement for the ApC. However, this is not the case and there is a need for establishing a formal channel for dealing with whistle-blowers, in data protection matters as well as in other matters. Presently there is no such channel formalised in the Service Regulations.
Specific positive aspects in the RoP of the DPB:
- Article 10(6): the reasoned opinion of the DPB is communicated to all parties at the same time, including the complainant.
- Article 15(2): a possibility is created for the Board to further examine a complaint of its own motion after the complainant has withdrawn.
- Article 9(7): there is a provision for urgency.
- Article 16(1): the communication of the final decisions is apparently managed by the DPB itself (Secretariat).
The CSC members of the GCC suggest that the ApC should consider including these aspects, mutatis mutandis, into their own rules.
Negative aspect in the RoP:
- Contrary to the ApC, no hearing is foreseen.
The CSC members of the GCC suggest that the DPB should consider including this essential possibility, mutatis mutandis, into their own rules and regret that the DPO is of the opinion that proceedings in writing are sufficient in all cases.