03.16.21

Gemini version available ♊︎

EPO and Microsoft Collude to Break the Law — Part IX: Know Your Vendor…

Posted in Deception, Europe, Microsoft, Patents at 4:26 am by Dr. Roy Schestowitz

Previous parts:

A big brother-like spy
The never-ending saga of Microsoft’s run-ins with European data protection authorities

Summary: Microsoft is one of the world’s worst offenders when it comes to privacy, but vendor assessment by the EPO conveniently overlooks the law

Even before GDPR came into effect in May 2018, data protection regulators in some European countries were starting to have their doubts about whether Microsoft’s flagship product, its Windows operating system, was compliant with European data protection standards.

The first national authority to kick into action was the French National Data Protection Commission (CNIL).

Following an investigation which concluded in June 2016, CNIL issued Microsoft with a formal notice to comply with French data protection regulations. CNIL also ruled that the decision should be made public, given the scale of the violations in question.

“Following an investigation which concluded in June 2016, CNIL issued Microsoft with a formal notice to comply with French data protection regulations. CNIL also ruled that the decision should be made public, given the scale of the violations in question.”No fewer than six violations of the French Data Protection Act were identified by CNIL, including continued transfer of data based on Safe Harbor principles despite the fact that the Safe Harbour Agreement had been invalidated by the CJEU in October 2015.

Microsoft was given three months – until 30 September 2016 – to end the identified violations of French Data Protection law or else face the prospect of a fine of up to €150,000.

In June 2017, it was reported that Microsoft had scaled back the volume of data it collected from Windows 10 PCs by “almost half”. This led CNIL to announce that Windows 10 was no longer in breach of the country’s data protection laws and that it had decided to close the case.

But that was only the first chapter in the never-ending saga of Microsoft’s run-ins with European data protection authorities.

“Microsoft was given three months – until 30 September 2016 – to end the identified violations of French Data Protection law or else face the prospect of a fine of up to €150,000.”A few months later in October 2017, it was reported that the Dutch data protection authority (Autoriteit Persoonsgegevens) had come to the conclusion that Microsoft was in breach of Dutch data protection law due to the way it processed the personal data of Windows 10 users.

According to the Dutch data watchdog, Microsoft made it impossible for users to give their valid consent to their personal data being processed due to the multiple ways in which that data might subsequently be used.

The Dutch regulator noted that Microsoft had promised to end its “violations”, but warned that a failure to do so could lead it to impose a sanction.

After some back and forth with the regulator, Microsoft submitted a revised version of its software in April 2018. However, in the course of testing the revised version the Dutch agency found fresh grounds for concern, discovering what it called in a press release “new, potentially unlawful, instances of personal data processing”.

“After some back and forth with the regulator, Microsoft submitted a revised version of its software in April 2018. However, in the course of testing the revised version the Dutch agency found fresh grounds for concern, discovering what it called in a press release “new, potentially unlawful, instances of personal data processing”.”In the meantime GDPR had entered into force, and this led the Dutch data protection authority to refer its concerns to the competent lead EU privacy regulator under the new regulations. This was the national data protection authority where Microsoft’s regional HQ for the EU is located, namely the Irish Data Protection Commission.

And so the seriously under-resourced Irish DPC added the Microsoft GDPR non-compliance case to an already long list of files concerning the cross-border data processing activities of multiple tech giants which had accumulated on its docket since the GDPR came into force in May 2018.

According to the most recently available reports from May 2020 the Microsoft case is still pending before the Irish Data Protection Commission.

The situation in the Netherlands became even hotter for Microsoft with the decision of the Dutch Ministry of Justice and Security in 2018 to commission a Data Protection Impact Assessment (DPIA) to be carried out on a range of Microsoft products, including Office 365.

“The situation in the Netherlands became even hotter for Microsoft with the decision of the Dutch Ministry of Justice and Security in 2018 to commission a Data Protection Impact Assessment (DPIA) to be carried out on a range of Microsoft products, including Office 365.”The DPIA was commissioned because this was a clear-cut case of data processing on a large scale (by 300,000 government employees) which involved personal data, including data that could be potentially used to track the activities of employees.

The aim of the exercise was to assess the extent to which Microsoft’s Office Online and the Mobile Office Apps could be deployed in a GDPR-compliant manner by Dutch government organisations.

The scope of the investigation included the five most commonly used Office 365 applications – Word, PowerPoint, Outlook, Excel and Microsoft Teams – in Office Online and the Mobile Office apps, in combination with the use of cloud storage services.

The final report [PDF], which was published in November 2018, identified a number of serious data protection risks, in particular the following:

• Loss of control over the use of personal data;
• Loss of confidentiality;
• Inability to exercise rights;
• Re-identification of pseudonymised data;
• Unlawful (further) processing.

It was noted that effective risk mitigation was outside of the users’ control and could only be carried out by Microsoft.

“It was noted that effective risk mitigation was outside of the users’ control and could only be carried out by Microsoft.”The investigation found an unacceptable lack of control by users over the processing of personal data by Office 365 mobile applications. Because of this government organisations were advised to create policies for their employees stating that they were not to use mobile Office 365 applications.

As we shall see in the next part, the investigation by the Dutch authorities into the GDPR-compliance of Microsoft products prompted the European Data Protection Supervisor to announce its own investigation into Microsoft products used by EU institutions.

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

DecorWhat Else is New


  1. [Meme] IBM Has Paid ZDNet to Troll the Community

    Over the past few weeks ZDNet has constantly published courses with the word "master" in their headlines (we caught several examples; a few are shown above); years ago this was common, also in relation to IBM itself; clearly IBM thinks that the word is racially sensitive and offensive only when it's not IBM using the word and nowadays IBM pays ZDNet — sometimes proxying through the Linux Foundation — to relay this self-contradictory message whose objective is to shame programmers, Free software communities etc. (through guilt they can leverage more power and resort to projection tactics, sometimes outright slander which distracts)



  2. [Meme] ILO Designed to Fail: EPO Presidents Cannot be Held Accountable If ILOAT Takes Almost a Decade to Issue a Simple Ruling

    The recent ILOAT ruling (a trivial no-brainer) inadvertently reminds one of the severe weaknesses of ILOAT; what good is a system of accountability that issues rulings on decisions that are barely relevant anymore (or too late to correct)?



  3. Links 22/10/2021: Trump's AGPL Violations and Chrome 95 Released

    Links for the day



  4. [Meme] How Corporate Monopolies Demonise Critics of Their Technically and Legally Problematic 'Products'

    When the technical substance of some criticism stands (defensible based upon evidence), and is increasingly difficult to refute based on facts, make up some fictional issue — a straw man argument — and then respond to that phony issue based on no facts at all



  5. Links 22/10/2021: Global Encryption Day

    Links for the day



  6. [Meme] Speaking the Same Language

    Language inside the EPO is misleading. Francophones Benoît Battistelli and António Campinos casually misuse the word “social”.



  7. António Campinos Thinks Salary Reductions Months Before He Leaves is “Exceptional Social Gesture”

    Just as Benoît Battistelli had a profound misunderstanding of the concept of “social democracy” his mate seems to completely misunderstand what a “social gesture” is (should have asked his father)



  8. IRC Proceedings: Thursday, October 21, 2021

    IRC logs for Thursday, October 21, 2021



  9. Links 21/10/2021: MX Linux 21 and Git Contributors’ Summit in a Nutshell

    Links for the day



  10. [Meme] [Teaser] Miguel de Icaza on CEO of Microsoft GitHub

    Our ongoing series, which is very long, will shed much-needed light on GitHub and its goals (the dark side is a lot darker than people care to realise)



  11. Gemini Protocol and Gemini Space Are Not a Niche; for Techrights, Gemini Means Half a Million Page Requests a Month

    Techrights on gemini:// has become very big and we’ll soon regenerate all the pages (about 37,500 of them) to improve clarity, consistency, and general integrity



  12. 'Satellite States' of EPO Autocrats

    Today we look more closely at how Baltic states were rendered 'voting fodder' by large European states, looking to rubber-stamp new and oppressive measures which disempower the masses



  13. [Meme] Don't Mention 'Brexit' to Team UPC

    It seems perfectly clear that UPC cannot start, contrary to what the EPO‘s António Campinos told the Council last week (lying, as usual) and what the EPO insinuates in Twitter; in fact, a legal challenge to this should be almost trivial



  14. The EPO’s Overseer/Overseen Collusion — Part IXX: The Baltic States

    How unlawful EPO rules were unsurprisingly supported by Benoît Battistelli‘s friends in Baltic states; António Campinos maintained those same unlawful rules and Baltic connections, in effect liaising with offices known for their corruption (convicted officials, too; they did not have diplomatic immunity, unlike Battistelli and Campinos)



  15. Links 21/10/2021: GIMP 2.99.8 Released, Hardware Shortages, Mozilla Crisis

    Links for the day



  16. How Oppressive Governments and Web Monopolists Might Try to Discourage Adoption of Internet Protocols Like Gemini

    Popular movements and even some courageous publications have long been subverted by demonisation tactics, splits along unrelated grounds (such as controversial politics) and — failing that — technical sabotage and censorship; one must familiarise oneself with commonly-recurring themes of social control by altercation



  17. [Meme] Strike Triangulations, Reception Issues

    Financial strangulations for Benoît Battistelli‘s unlawful “Strike Regulations”? The EPO will come to regret 2013…



  18. [Meme] Is Saying “No!” to Unlawful Proposals Considered “Impolite”?

    A ‘toxic mix’ of enablers and cowards (who won’t vote negatively on EPO proposals which they know to be unlawful) can serve to show that the EPO isn’t a “social democracy” as Benoît Battistelli liked to call it; it’s just a dictatorship, currently run by the son of a person who actually fought dictatorship



  19. IRC Proceedings: Wednesday, October 20, 2021

    IRC logs for Wednesday, October 20, 2021



  20. [Meme] EPO Legal Sophistry and Double Dipping

    An imaginary EPO intercept of Administrative Council discussions in June 2013...



  21. Links 21/10/2021: PostgreSQL JDBC 42.3.0 and Maui Report

    Links for the day



  22. [Meme] [Teaser] “Judge a Person Both by His Friends and Enemies”

    Fervent supporters of Team Battistelli or Team Campinos (a dark EPO era) are showing their allegiances; WIPO and EPO have abused staff similarly over the past decade or so



  23. 'Cluster-Voting' in the European Patent Office/Organisation (When a Country With 1.9 Million Citizens Has the Same Voting Power as a Country With 83.1 Million Citizens)

    Today we examine who has been running the Finnish patent office and has moreover voted in the EPO during the ballot on unlawful "Strike Regulations"; they voted in favour of manifestly illegal rules and for 8.5 years after that (including last Wednesday) they continued to back a shady regime which undermines the EPO's mission statement



  24. The EPO’s Overseer/Overseen Collusion — Part XVIII: Helsinki's Accord

    The Finnish outpost has long been strategic to the EPO because it can help control the vote of four or more nations; evidence suggests this has not changed



  25. [Meme] Living as a Human Resource, Working for Despots

    The EPO has become a truly awful place/employer to work for; salary is 2,000 euros for some (despite workplace stress, sometimes relocation to a foreign country)



  26. Links 20/10/2021: New Redcore Linux and Hospital Adoption of GNU Health

    Links for the day



  27. IRC Proceedings: Tuesday, October 19, 2021

    IRC logs for Tuesday, October 19, 2021



  28. Links 19/10/2021: Karanbir Singh Leaves CentOS Board, GPL Violations at Vizio

    Links for the day



  29. [Meme] Giving the Knee

    The 'knee' champion Kratochvìl and 'kneel' champion Erlingsdóttir are simply crushing the law; they’re ignoring the trouble of EPO staff and abuses of the Office, facilitated by the Council itself (i.e. facilitated by themselves)



  30. Josef Kratochvìl Rewarded Again for Covering Up EPO Corruption and the EPO Bribes the Press for Lies Whilst Also Lying About Its Colossal Privacy Violations

    Corrupt officials and officials who actively enable the crimes still control the Office and also the body which was supposed to oversee it; it's pretty evident and clear judging by this week's press statements at the EPO's official Web site


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts