Bonum Certa Men Certa

EPO's Illegal Surveillance Covered Up by Buzzwords Bingo and Acronyms: Data Protection Board (DPB), Data Protection Rules (DPR), and Data Protection Officer (DPO)

EPO's B&W logo
CSC members of the GCC wrote a publication to explain the laughable situation (albeit very politely or "diplomatically" as 'suits' like to put it)



Summary: Years after the surveillance scandals (blunders and actual crimes) of Benoît Battistelli it seems clear that António Campinos carries on with the same tradition of violating privacy of staff and stakeholders, who are of course being lied to (with euphemisms such as "Data Protection")

The Central Staff Committee (CSC) of the EPO has published a report on the consultative 'meeting' (Webchat or "videoconference") which took place 11 days ago regarding "Data Protection" (the EPO prefers to use this positive-sounding term whilst illegally spying on staff and sending confidential data of applicants to Microsoft/United States). The irony isn't lost either; like ViCo 'courts' dealing with or deciding on ViCo. We now have videoconferences dealing with the legality of surveillance, which certainly these videoconference facilities introduce (the EPO could self-host its videoconferencing, but it probably lacks the technical staff that can configure Free software; good workers have been driven out for years).



In any case, this 6-page publication which currently circulates among EPO staff was 'leaked' to us, so we can reproduce it in full below, as HTML:

Munich,17/12/2021 sc21149cp

GCC meeting on 9 December 2021

Data Protection



Dear Colleagues,

The President convened a one-hour GCC meeting via videoconference in order to deal with documents about data protection, in particular to consult on new Circular 420. The Circular deals with the implementation of Article 25 of the Data Protection Rules, which is about restricting the rights of data subjects (read: employees) in specific cases. The CSC members of the GCC unanimously abstained on the document.

The CSC members of the GCC also gave an opinion (without a vote) on the Rules of Procedure of the Data Protection Board, which will act as an “Appeals Committee” for data protection disputes.

Both opinions are attached to this report.

At the end of the meeting we asked about the President’s intentions with his draft social agenda, in particular the “Review of Leave1”. The President announced that all aspects of leave would be addressed, but with the aim making them fair, transparent, predictable and simple, as always2.

The Central Staff Committee

Annexes: opinions of the CSC members of the GCC

- Circular 420: Implementing Article 25 of the Data Protection Rules (DPR) (document GCC/DOC 26/2021) - Rules of Procedure of the Data Protection Board (document GCC/DOC 27/2021)

_____________ 1 See also our publication “Social Agenda 2022” of 3 December 2021. 2 He made the same promise for the reform of the education benefits.




Annexes



Opinion of the CSC members of the GCC on GCC/DOC 26/2021 Circular 420: Implementing Article 25 of the Data Protection Rules (DPR)

General Remarks

In June 2021, the Administrative Council adopted amendments to the ServRegs and the Implementing Rules for Articles 1b and 32a ServRegs (Protection of personal data and data protection oversight), the “DPR”, with decision CA/D 5/21. The GCC consulted on 2 June 2021 on the corresponding CA document CA/26/21. The opinion1 of the CSC members of the GCC was published with their report on the GCC meeting. Obviously, the main flaws of the regulation remain and cannot be remedied in a lower-ranking Circular No. 420.

Human rights should never be taken for granted. The recent judgments regarding the rights for strike at the EPO provide proof for that. The rights to privacy and protection of personal data are such human rights.

Therefore, the CSC members of the GCC appreciate the efforts of the Office to align with highest standards and best practices in data protection. What are these highest standards? It is the GDPR, the general Data Protection Regulations from the EU, as well as the EUDPR, the regulation on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies, which have been introduced in 2018. These are widely considered the Gold Standard in data protection.

Already in February 2019, so almost three years ago, in a publication 2 Staff Representation denounced that the rights to privacy and protection of personal data of EPO employees and its stakeholders did not correspond to these highest standards. Staff representation asked that:

1. The EPO policies on data protection should be aligned with the EU regulations; 2. The role of the Data Protection Officer should be strengthened, and its independence should be assured; 3. An external and independent oversight body should be appointed with the task of monitoring the application of data protection policies at the EPO; 4. Separate data protection policies should be defined for investigative procedures (e.g., misconduct or fraud). Its implementation should be the responsibility of a distinct Data Protection Officer nominated, e.g., by the Administrative Council.

Although late (almost 3 years after that publication and 4 years after the introduction of the EU regulations, and although not as ambitious as we might have liked, finally the EPO has taken some steps forward. We see that indeed the EPO policies have been aligned with the EU regulations and that we have a Data Protection Officer who is more independent and has more resources.

Still the new framework deviates in some important points from the EUDPR. Indeed, it does not provide the same level of protection afforded to employees in the EU institutions.

The main problem is that the President of the Office is both the controller and the appointing authority for the members of the supposedly independent Data Protection Board (DPB). The task

_____________ 1 Opinion of the CSC members of the GCC on GCC/DOC 5/2021 (CA/26/21 and CA/26/21 Add.1): Modernisation of the Data Protection Framework of the European Patent Office under the Strategic Plan 2023, 10.06.2021, link 2 Data Protection @ EPO, quo vadis?, CSC, 20.02.2019, link




of the Data Protection Board is to check that the controller is doing the right things. The second problem is that the powers of the Data Protection Board are limited: it cannot make binding opinions or impose sanctions. It just provides an opinion which the EPO President (the controller) can follow or not. For further information please refer to the Opinion of the CSC members of the GCC on GCC/DOC 5/20211.

Evidently, the EPO has a specific institutional set-up which differs from that of the EU institutions. However, this does not explain the important deviations from the Data Protection Regulation of the EU on such fundamental points. So, we observe some improvements, but unfortunately no Gold Standard at the EPO on the topic of data protection regulations.

On Circular No.420

One critical provision is Article 25 DPR, which restricts the rights of the data subject. Article 25 DPR essentially corresponds to Article 25 EUDPR. The rights concerned are the rights to information, access, rectification, erasure, restriction of processing, data portability, notification and communication of a personal data breach and confidentiality of electronic communications. The rights which remain untouched are the right to object and the right to be preserved from decisions based solely on automated processing.

In the EU, the restrictions either relate to the Member States, to “dispute” proceedings or exclusively to the internal security of Union institutions and bodies, including of their electronic communications networks (Article 25.(1)(d)).

Whereas the CSC members of the GCC are able to compare the EPO DPR with the EUDPR, they lack information (e.g. benchmarks) allowing them to compare with other international organisations or EU agencies, as regards the implementation of Article 25. They also lack benchmarks on how often these restrictions are applied in other organisations. Data on the past and current practice of imposing such restrictions at the EPO are also not available.

Consultation process

The Circular mentions “extensive consultation with those relevant internal stakeholders over the last few months”. One of the main stakeholders, the representatives of the EPO staff, i.e., its Staff representation was excluded from the task force. A single one-hour ViCo was convened by the DPO for explaining the Circular and for the Staff Representation to give their input. However, IT issues prevented the circular from being available for all staff representatives on time. Due to the very tight time line and the extremely late involvement of the Staff Representation, no replacement ViCo could be convened. The GCC meeting is de facto the first opportunity to discuss the Circular with management. One informal meeting with the DPO took place beforehand.

As to the content

Article 4 provides a list of situations, or legal grounds, in which restrictions to the rights of the data subject are possible. It lists inter alia also internal audits. One can reasonably assume that some right on data protection might have to be temporarily restricted during investigative or disciplinary proceedings. However, in the case of internal audits this is questionable. “Internal audits” is a broad term. It might be that there are some specific internal audits for which such restrictions are




necessary. These specific internal audits should have been listed instead of the broad term “internal audits”.

Restrictions are discretionary acts by a data controller, hence subject to limited review. In reply to a request for review, the (delegated) controller will only inform the requester whether the data have been processed correctly and, if not, whether any necessary corrections have been made3. It is therefore very different from a usual request for review within the meaning of Article 109 ServRegs, which calls for a reasoned decision4. The controller must be able to demonstrate compliance with the DPR, for accountability purposes, but the requester is not informed of that “demonstration”.

The Office might impose restrictions, e.g., as regards confidentiality of electronic communications, in investigations, disciplinary proceedings, appeals proceedings, health-related processes. The grounds for the restriction have to be given, i.e., the “legal basis” for the restriction as listed in Article 4. Reasons for restrictions might remain hidden to the data subject in certain cases5. When it comes to disputes in such cases, the facts available to one party, the Office, shall be made available to the Data Protection Board upon request. The other party, i.e., the staff member, will not necessarily have access to those facts. This jeopardises the right to a “fair trial” before the DPB.

This shows again that these restrictions should be imposed only in very specific and exceptional cases. And this is further proof of the importance of the independence of both the Data Protection Board and the DPO, which is crucial for building trust..

Conclusion

The Office deliberately chooses not to follow the EUDPR, which can be considered the “gold standard”. Even when taking into account the institutional set-up of the Organisation6, the new framework could have been aligned closer to the EUDPR. The main problems are, in particular, that the President of the Office is both the controller and the appointing authority for the members of the DPB and that the DPB cannot make binding opinions.

The new framework will require re-evaluation in a few years, hopefully with a view to coming closer to the EUDPR.

Based on the foregoing, the CSC members of the GCC unanimously abstain on the document.

_____________ 3 Article 25(3)c DPR. 4 Article 109(4) ServRegs: “The competent appointing authority shall take a reasoned decision on the outcome of the review...” 5 See Article 7(4); see also Article 25(3)b. and 25(4) DPR 6 See, e.g., Article 10 EPC




Opinion of the CSC members of the GCC on document GCC/DOC 27/2021: Rules of Procedure of the Data Protection Board

The CSC members of the GCC give the following opinion on document GCC/DOC 27/2021.

Introduction

The Administrative Council (AC) has been informed in June 2021 of the Data Protection Rules (DPR) with document CA/26/21 Add. 1. The AC has adopted the new data protection framework with decision CA/D 5/21.

The Data Protection Board (DPB) has two functions, namely an oversight / advisory function and a function as part of the mechanism for legal redress1. The Rules of Procedure (RoP) of the DPB describe the role and the responsibilities of the DPB, including the procedure for dealing with complaints on data protection issues.

The RoP of the DPB relate to the second function, i.e. dealing with complaints. The DPB will replace the Appeals Committee (ApC) for decisions on data protection issues. The RoP for the DPB resemble the RoP for the ApC. In comparison, they include inter alia additional directions for the Board, e.g. as regards criteria for receivability (Article 5), various constraints on time limits for internal processing, the concrete form of opinions (Article 10), etc. The DPB is composed of members having a recognised technical and/or legal background, especially in data protection matters. One would expect that the DPB would be in a position to sort out such matters in an autonomous manner, i.e., deciding on the RoP themselves without interference by the President of the Office, taking for instance good judicial practice and ILOAT jurisprudence into account.

The RoP of the DPB are adopted by the President of the Office in consultation with the President of the Boards of Appeal. With the GCC document, the President informs the GCC members that he adopts the RoP of the DPB. The role of the DPB is limited to proposing amendments to these RoP, which the President may adopt or reject. The DPO confirmed this in the GCC meeting: the DPO would consider whether the proposed amendments could be taken over. By contrast, the Appeals Committee adopts its own Rules of Procedure (with additional approval from the President of the EPO). The latter is the more appropriate sequence for a body intended to be an independent supervisory.

The general impression is that the DPO is willing to retain control on the procedure, which the DPB is expected to follow, although the DPB is the DPO’s supervisory.

The missing bits: rules for oversight / advisory and whistleblowing functions

The RoP include a general statement as to its role, viz. an expert, reliable and authoritative body in the field of data protection ensuring an appropriately informed decision-making process by the President. However, the rules exclusively relate to its function as a replacement for the ApC for dealing with individual disputes. No rules are set up for its advisory function.

Furthermore, under Article 68 of the EU Regulation, staff members of the EU institutions, bodies and agencies can lodge complaints with the European Data Protection Supervisory

_____________ 1 Article 47 DPR




(EDPS), which roughly corresponds to the DPB, even if they are not personally affected by the alleged breach. This is a whistle-blower provision. The EPO excludes this possibility in Article 3(1): only the data subject whose data protection rights have allegedly been infringed is entitled to lodge a complaint.

This could be explained by external institutional constraints, such as the regulations at ILOAT, if the DPB was regarded exclusively as a replacement for the ApC. However, this is not the case and there is a need for establishing a formal channel for dealing with whistle-blowers, in data protection matters as well as in other matters. Presently there is no such channel formalised in the Service Regulations.

Specific positive aspects in the RoP of the DPB:

- Article 10(6): the reasoned opinion of the DPB is communicated to all parties at the same time, including the complainant.

- Article 15(2): a possibility is created for the Board to further examine a complaint of its own motion after the complainant has withdrawn.

- Article 9(7): there is a provision for urgency.

- Article 16(1): the communication of the final decisions is apparently managed by the DPB itself (Secretariat).

The CSC members of the GCC suggest that the ApC should consider including these aspects, mutatis mutandis, into their own rules.

Negative aspect in the RoP:

- Contrary to the ApC, no hearing is foreseen.

The CSC members of the GCC suggest that the DPB should consider including this essential possibility, mutatis mutandis, into their own rules and regret that the DPO is of the opinion that proceedings in writing are sufficient in all cases.


Another publication has been passed along -- an even more interesting one. The EPO has become a technical blunder which not only breaks laws but also has broken systems. This is what happens when the President hires friends (nepotism) instead of people with suitable qualifications. Aside from illegal outsourcing (to external companies) they end up with a circus of a patent office.

Recent Techrights' Posts

It's a Lot Easier to Participate in the Unethical System Than to Oppose Injustices in It
Going after powerful and high-budget interests is never easy
 
Slopwatch: LLM Sloppers in Google News, LinuxSecurity, and More
they also perpetuate some falsehoods as the LLMs lack any comprehension
Links 08/08/2025: China King of Plastics and US Dictator Plans to Meet Russian Dictator
Links for the day
Gemini Links 08/08/2025: Cracking a Family Member's Password and Overdose of Slop
Links for the day
Red Hat's Latest Talent Hunt, Day Ahead of Mass Layoffs, is Yet Another Microsoft Executive
Red Hat will apparently commence mass layoffs early this coming Monday
Links 08/08/2025: "Quit Facebook" and High Cost of Microsoft/Windows Shown Again ("BlackSuit")
Links for the day
Good Morning, Readers of The Register MS
Things The Register MS could (but does not) cover this morning
Why Gemini Protocol Has a Bright Future
Maybe Gemini Protocol's promise becomes more appealing as the Web turns to slop and bloat
Microsofters Filed Two SLAPPs Against Us, Now They Cannot Keep Up With Judges' Orders
For over 4 months already their facilitator in London has been under investigation by British authorities because of what's being done to my wife and I
Censorship Regarding Red Hat Layoffs
Talk about this? They'd rather not.
Struggling to Cut Costs, Microsoft Continues Shutting Down and Cancelling Stuff This Month
There are August layoffs at Microsoft
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, August 07, 2025
IRC logs for Thursday, August 07, 2025
Fake 'Linux' Articles, Written by Bots to Take Traffic Away From Real Articles
LLM slop helps replace information with junk or misinformation
When Google's Googlebombing of "Gemini" Was Not Enough; They Now Also Googlebomb "Gemini Space"?
We know GAFAM not only worries about Gemini Protocol but also attempts to 'infiltrate' Geminispace
The Register MS Promotes Microsoft Slop, Assumes All Readers Use Microsoft Windows
Microsoft really dominates the site
Gemini Links 08/08/2025: KDE/Qt Development and What's Missing From "Retro"
Links for the day
Links 07/08/2025: US Punishes India Instead of Russia, Attacks Law Firms to Prevent Scrutiny
Links for the day
Read Us in Geminispace as Well
it's definitely a lot simpler than using a Web browser
Once a Site About BSD and GNU/Linux, and After Months of Silence, LinuxBSDos.com Comes Back Only as a Slopfarm
very frustrating
Links 07/08/2025: Hardware Wars, Mass Recall of Colgate Total Clean Mint, More Microsoft Holes Found
Links for the day
Gemini Links 07/08/2025: "Right To Manage" and LoRa Analysis
Links for the day
For the First Time in a Month OSI's "OpenSource.org" Blogs and It's Basically a Microsoft Blog Post (Microsoft Controls OSI)
For the first time in a month OSI writes something and it is Microsoft propaganda composed by a Microsoft-salaried operative
Microsoft, Already Borrowing 3 Billion Dollars a Month, is Trying to Cause Many People to Resign
MSN (i.e. Microsoft) and others openly admit it
GAFAM 'Says' is Front Page "News"
The point of journalism is to check and assess facts, not parrot what people and companies merely claim
Links 07/08/2025: Apple Makes False Promises, More Trouble for Microsoft
Links for the day
OSS Didn't Always Mean Open Source Software
"oligarchs all the way down"
The Register MS Does More Microsoft Sez or GitHub Sez (Says) Pieces
60 minutes ago
They Want Activists to Just Barely Walk and Eat, Not Do Activism Anymore
It's sort of like the ending of '1984'
Quit Perpetuating the Narrative of Gemini Protocol 'Dying' (It's False)
The "whisper campaign" against Gemini Protocol
Criticising Social Control Media in Social Control Media
Many people are quitting Social Control Media (fewer of them announce this in public)
Non-Free JavaScript Programs in Banks Aren't Even the Biggest Problem
Technology was supposed to make life easier; in practice, however, for most of us the opposite effect can be observed
Slopfarms Are Typically Fake News
Slopfarms typically relay falsehoods
Gemini Links 06/08/2025: Replacing a Pocket Watch and Buying in Bulk
Links for the day
IBM is Obliterating Fedora
"Fedora releases were shipping with an increasing number of bugs on launch day even while I was using it for a several year stretch."
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, August 06, 2025
IRC logs for Wednesday, August 06, 2025
August Hits Microsoft Hard: Dead Divisions, Dead Products, Layoffs Again (on Week 1)
Microsoft's debt is soaring
Slopwatch: Slow Day for LLM Slop, Serial Sloppers Still at It in Their Slopfarms
The Web would be better off if those sites went offline
Red Hat Layoffs Expected in 5 Days (Monday)
"They will announce and proceed with the cuts on 08/11."
Links 06/08/2025: Substack in Trouble, Slop Sceptic Shira Perlmutter Seeks Emergency Injunction Pending Appeal
Links for the day
Gemini Links 06/08/2025: Pinephone, Reverse-Engineering, and More
Links for the day
Links 06/08/2025: Faked Values of Slop Companies and Government Bailouts
Links for the day
FOSSY 2025 Conference Safety
The GAFAM-funded FOSSY 2025 is over
Microsoft's Favourite Pay-to-Say 'Analyst' Firm Has Just Collapsed
'Analysts' that helped propel Microsoft to fictional values akin to Ponzi schemes
Ask Google (Jeeves)
What does Google "know", not know, or would rather forget (or embellish)?
They Want You To Talk About Trump or 'The Other Bill' in Relation to Trafficking of Underage Girls for Sexual Exploitation
Just something we wanted to say...
How to Quadruple Your "Goodwill" Value and Grow Your (Wall) Street "Value" From $152B to $4000B Without Producing a Single Successful Product/Service
The longer it goes on for, the bigger the implosion will be
Staying Productive
Two very reputable institutions recently told us they now reckon Microsoft is somehow funding those SLAPPs against us
A Blow for Patent Ambitions of Bill Epsteingate
It's about money
66 Countries Where More People Use iPhones (or iPads) Than Microsoft Windows, According to statCounter Data
a list of countries where iOS now exceeds Windows
Apple's iOS Bigger Than Microsoft Windows in Many Countries
This ought to alarm Microsoft
The Mainstream Media Talks About Spotify Share Price and Price Hikes, Not Its Debt Increasing by About 33% in Just 12 Months
Spotify isn't a company in good shape
New "US Editor for The Register" is 80% Microsoft and Windows
they typically just treat Microsoft like the "Holy Grail" of "IT"
Microsoft is Apparently Sending Gag Orders or NDAs to Staff That Got Laid Off (“We were told not to post on LinkedIn. Not to say anything.”)
The main lies we keep seeing
Richard M. Stallman Has Published AI Memos Since 1980 (45 Years Ago)
Back when the term AI actually meant something
Gemini Links 06/08/2025: BitTorrent and Feedly Bots
Links for the day
Windows All-Time Lows, Android All-Time Highs in Kuwait
New lows for Windows can be found in many countries this month
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, August 05, 2025
IRC logs for Tuesday, August 05, 2025