03.16.21

Gemini version available ♊︎

EPO and Microsoft Collude to Break the Law — Part IX: Know Your Vendor…

Posted in Deception, Europe, Microsoft, Patents at 4:26 am by Dr. Roy Schestowitz

Previous parts:

A big brother-like spy
The never-ending saga of Microsoft’s run-ins with European data protection authorities

Summary: Microsoft is one of the world’s worst offenders when it comes to privacy, but vendor assessment by the EPO conveniently overlooks the law

Even before GDPR came into effect in May 2018, data protection regulators in some European countries were starting to have their doubts about whether Microsoft’s flagship product, its Windows operating system, was compliant with European data protection standards.

The first national authority to kick into action was the French National Data Protection Commission (CNIL).

Following an investigation which concluded in June 2016, CNIL issued Microsoft with a formal notice to comply with French data protection regulations. CNIL also ruled that the decision should be made public, given the scale of the violations in question.

“Following an investigation which concluded in June 2016, CNIL issued Microsoft with a formal notice to comply with French data protection regulations. CNIL also ruled that the decision should be made public, given the scale of the violations in question.”No fewer than six violations of the French Data Protection Act were identified by CNIL, including continued transfer of data based on Safe Harbor principles despite the fact that the Safe Harbour Agreement had been invalidated by the CJEU in October 2015.

Microsoft was given three months – until 30 September 2016 – to end the identified violations of French Data Protection law or else face the prospect of a fine of up to €150,000.

In June 2017, it was reported that Microsoft had scaled back the volume of data it collected from Windows 10 PCs by “almost half”. This led CNIL to announce that Windows 10 was no longer in breach of the country’s data protection laws and that it had decided to close the case.

But that was only the first chapter in the never-ending saga of Microsoft’s run-ins with European data protection authorities.

“Microsoft was given three months – until 30 September 2016 – to end the identified violations of French Data Protection law or else face the prospect of a fine of up to €150,000.”A few months later in October 2017, it was reported that the Dutch data protection authority (Autoriteit Persoonsgegevens) had come to the conclusion that Microsoft was in breach of Dutch data protection law due to the way it processed the personal data of Windows 10 users.

According to the Dutch data watchdog, Microsoft made it impossible for users to give their valid consent to their personal data being processed due to the multiple ways in which that data might subsequently be used.

The Dutch regulator noted that Microsoft had promised to end its “violations”, but warned that a failure to do so could lead it to impose a sanction.

After some back and forth with the regulator, Microsoft submitted a revised version of its software in April 2018. However, in the course of testing the revised version the Dutch agency found fresh grounds for concern, discovering what it called in a press release “new, potentially unlawful, instances of personal data processing”.

“After some back and forth with the regulator, Microsoft submitted a revised version of its software in April 2018. However, in the course of testing the revised version the Dutch agency found fresh grounds for concern, discovering what it called in a press release “new, potentially unlawful, instances of personal data processing”.”In the meantime GDPR had entered into force, and this led the Dutch data protection authority to refer its concerns to the competent lead EU privacy regulator under the new regulations. This was the national data protection authority where Microsoft’s regional HQ for the EU is located, namely the Irish Data Protection Commission.

And so the seriously under-resourced Irish DPC added the Microsoft GDPR non-compliance case to an already long list of files concerning the cross-border data processing activities of multiple tech giants which had accumulated on its docket since the GDPR came into force in May 2018.

According to the most recently available reports from May 2020 the Microsoft case is still pending before the Irish Data Protection Commission.

The situation in the Netherlands became even hotter for Microsoft with the decision of the Dutch Ministry of Justice and Security in 2018 to commission a Data Protection Impact Assessment (DPIA) to be carried out on a range of Microsoft products, including Office 365.

“The situation in the Netherlands became even hotter for Microsoft with the decision of the Dutch Ministry of Justice and Security in 2018 to commission a Data Protection Impact Assessment (DPIA) to be carried out on a range of Microsoft products, including Office 365.”The DPIA was commissioned because this was a clear-cut case of data processing on a large scale (by 300,000 government employees) which involved personal data, including data that could be potentially used to track the activities of employees.

The aim of the exercise was to assess the extent to which Microsoft’s Office Online and the Mobile Office Apps could be deployed in a GDPR-compliant manner by Dutch government organisations.

The scope of the investigation included the five most commonly used Office 365 applications – Word, PowerPoint, Outlook, Excel and Microsoft Teams – in Office Online and the Mobile Office apps, in combination with the use of cloud storage services.

The final report [PDF], which was published in November 2018, identified a number of serious data protection risks, in particular the following:

• Loss of control over the use of personal data;
• Loss of confidentiality;
• Inability to exercise rights;
• Re-identification of pseudonymised data;
• Unlawful (further) processing.

It was noted that effective risk mitigation was outside of the users’ control and could only be carried out by Microsoft.

“It was noted that effective risk mitigation was outside of the users’ control and could only be carried out by Microsoft.”The investigation found an unacceptable lack of control by users over the processing of personal data by Office 365 mobile applications. Because of this government organisations were advised to create policies for their employees stating that they were not to use mobile Office 365 applications.

As we shall see in the next part, the investigation by the Dutch authorities into the GDPR-compliance of Microsoft products prompted the European Data Protection Supervisor to announce its own investigation into Microsoft products used by EU institutions.

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

DecorWhat Else is New

  1. Links 31/05/2023: Armbian 23.05 Release and Illegal UPC

    Links for the day

  2. IRC Proceedings: Tuesday, May 30, 2023

    IRC logs for Tuesday, May 30, 2023

  3. Gemini Protocol About to Turn 4 and It's Still Growing

    In the month of May we had zero downtime (no updates to the system or outages in the network), which means Lupa did not detect any errors such as timeouts and we’re on top of the list (the page was fixed a day or so after we wrote about it); Gemini continues to grow (chart by Botond) as we’re approaching the 4th anniversary of the protocol

  4. Links 31/05/2023: Librem Server v2, curl 8.1.2, and Kali Linux 2023.2 Release

    Links for the day

  5. Gemini Links 31/05/2023: Bayes Filter and Programming Wordle

    Links for the day

  6. [Meme] Makes No Sense for EPO (Now Connected to the EU) and Staff Pensions to be Tied to the UK After Brexit

    It seems like EPO staff is starting to have doubts about the safety of EPO pensions after Benoît Battistelli sent money to reckless gambling (EPOTIF) — a plot that’s 100% supported by António Campinos and his enablers in the Council, not to mention the European Union

  7. Working Conditions at EPO Deteriorate and Staff Inquires About Pension Rights

    Work is becoming a lot worse (not even compliant with the law!) and promises are constantly being broken, so staff is starting to chase management for answers and assurances pertaining to finances

  8. Links 30/05/2023: Orc 0.4.34 and Another Rust Crisis

    Links for the day

  9. Links 30/05/2023: Nitrux 2.8.1 and HypoPG 1.4.0

    Links for the day

  10. Gemini Links 30/05/2023: Bubble Version 3.0

    Links for the day

  11. Links 30/05/2023: LibreOffice 7.6 in Review and More Digital Restrictions (DRM) From HP

    Links for the day

  12. Gemini Links 30/05/2023: Curl Still Missing the Point?

    Links for the day

  13. IRC Proceedings: Monday, May 29, 2023

    IRC logs for Monday, May 29, 2023

  14. MS (Mark Shuttleworth) as a Microsoft Salesperson

    Canonical isn’t working for GNU/Linux or for Ubuntu; it’s working for “business partners” (WSL was all along about promoting Windows)

  15. First Speaker in Event for GNU at 40 Called for Resignation/Removal of GNU's Founder

    It’s good that the FSF prepares an event to celebrate GNU’s 40th anniversary, but readers told us that the speakers list is unsavoury, especially the first one (a key participant in the relentless campaign of defamation against the person who started both GNU and the FSF; the "FSFE" isn't even permitted to use that name)

  16. When Jokes Became 'Rude' (or Disingenuously Misinterpreted by the 'Cancel Mob')

    A new and more detailed explanation of what the wordplay around "pleasure card" actually meant

  17. Site Updates and Plans Ahead

    A quick look at or a roundup of what we've been up to, what we plan to publish in the future, what topics we shall focus on very soon, and progress moving to Alpine Linux

  18. Links 29/05/2023: Snap and PipeWire Plans as Vendor Lock-in

    Links for the day

  19. Gemini Links 29/05/2023: GNU/Linux Pains and More

    Links for the day

  20. Links 29/05/2023: Election in Fedora, Unifont 15.0.04

    Links for the day

  21. Gemini Links 29/05/2023: Rosy Crow 1.1.1 and Smolver 1.2.1 Released

    Links for the day

  22. IRC Proceedings: Sunday, May 28, 2023

    IRC logs for Sunday, May 28, 2023

  23. Daniel Stenberg Knows Almost Nothing About Gemini and He's Likely Just Protecting His Turf (HTTP/S)

    The man behind Curl, Daniel Stenberg, criticises Gemini; but it's not clear if he even bothered trying it (except very briefly) or just read some inaccurate, one-sided blurbs about it

  24. Links 29/05/2023: Videos Catchup and Gemini FUD

    Links for the day

  25. Links 28/05/2023: Linux 6.4 RC4 and MX Linux 23 Beta

    Links for the day

  26. Gemini Links 28/05/2023: Itanium Day, GNUnet DHT, and More

    Links for the day

  27. Links 28/05/2023: eGates System Collapses, More High TCO Stories (Microsoft Windows)

    Links for the day

  28. IRC Proceedings: Saturday, May 27, 2023

    IRC logs for Saturday, May 27, 2023

  29. No More Twitter, Mastodon, and Diaspora for Tux Machines (Goodbye to Social Control Media)

    People would benefit from mass abandonment of such pseudo-social pseudo-media.

  30. Links 28/05/2023: New Wine and More

    Links for the day

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts