Bonum Certa Men Certa

EPO and Microsoft Collude to Break the Law -- Part IX: Know Your Vendor…

Previous parts:



A big brother-like spy
The never-ending saga of Microsoft's run-ins with European data protection authorities



Summary: Microsoft is one of the world's worst offenders when it comes to privacy, but vendor assessment by the EPO conveniently overlooks the law

Even before GDPR came into effect in May 2018, data protection regulators in some European countries were starting to have their doubts about whether Microsoft's flagship product, its Windows operating system, was compliant with European data protection standards.



The first national authority to kick into action was the French National Data Protection Commission (CNIL).

Following an investigation which concluded in June 2016, CNIL issued Microsoft with a formal notice to comply with French data protection regulations. CNIL also ruled that the decision should be made public, given the scale of the violations in question.

"Following an investigation which concluded in June 2016, CNIL issued Microsoft with a formal notice to comply with French data protection regulations. CNIL also ruled that the decision should be made public, given the scale of the violations in question."No fewer than six violations of the French Data Protection Act were identified by CNIL, including continued transfer of data based on Safe Harbor principles despite the fact that the Safe Harbour Agreement had been invalidated by the CJEU in October 2015.

Microsoft was given three months – until 30 September 2016 – to end the identified violations of French Data Protection law or else face the prospect of a fine of up to €150,000.

In June 2017, it was reported that Microsoft had scaled back the volume of data it collected from Windows 10 PCs by "almost half". This led CNIL to announce that Windows 10 was no longer in breach of the country's data protection laws and that it had decided to close the case.

But that was only the first chapter in the never-ending saga of Microsoft's run-ins with European data protection authorities.

"Microsoft was given three months – until 30 September 2016 – to end the identified violations of French Data Protection law or else face the prospect of a fine of up to €150,000."A few months later in October 2017, it was reported that the Dutch data protection authority (Autoriteit Persoonsgegevens) had come to the conclusion that Microsoft was in breach of Dutch data protection law due to the way it processed the personal data of Windows 10 users.

According to the Dutch data watchdog, Microsoft made it impossible for users to give their valid consent to their personal data being processed due to the multiple ways in which that data might subsequently be used.

The Dutch regulator noted that Microsoft had promised to end its "violations", but warned that a failure to do so could lead it to impose a sanction.

After some back and forth with the regulator, Microsoft submitted a revised version of its software in April 2018. However, in the course of testing the revised version the Dutch agency found fresh grounds for concern, discovering what it called in a press release "new, potentially unlawful, instances of personal data processing".

"After some back and forth with the regulator, Microsoft submitted a revised version of its software in April 2018. However, in the course of testing the revised version the Dutch agency found fresh grounds for concern, discovering what it called in a press release "new, potentially unlawful, instances of personal data processing"."In the meantime GDPR had entered into force, and this led the Dutch data protection authority to refer its concerns to the competent lead EU privacy regulator under the new regulations. This was the national data protection authority where Microsoft's regional HQ for the EU is located, namely the Irish Data Protection Commission.

And so the seriously under-resourced Irish DPC added the Microsoft GDPR non-compliance case to an already long list of files concerning the cross-border data processing activities of multiple tech giants which had accumulated on its docket since the GDPR came into force in May 2018.

According to the most recently available reports from May 2020 the Microsoft case is still pending before the Irish Data Protection Commission.

The situation in the Netherlands became even hotter for Microsoft with the decision of the Dutch Ministry of Justice and Security in 2018 to commission a Data Protection Impact Assessment (DPIA) to be carried out on a range of Microsoft products, including Office 365.

"The situation in the Netherlands became even hotter for Microsoft with the decision of the Dutch Ministry of Justice and Security in 2018 to commission a Data Protection Impact Assessment (DPIA) to be carried out on a range of Microsoft products, including Office 365."The DPIA was commissioned because this was a clear-cut case of data processing on a large scale (by 300,000 government employees) which involved personal data, including data that could be potentially used to track the activities of employees.

The aim of the exercise was to assess the extent to which Microsoft's Office Online and the Mobile Office Apps could be deployed in a GDPR-compliant manner by Dutch government organisations.

The scope of the investigation included the five most commonly used Office 365 applications – Word, PowerPoint, Outlook, Excel and Microsoft Teams – in Office Online and the Mobile Office apps, in combination with the use of cloud storage services.

The final report [PDF], which was published in November 2018, identified a number of serious data protection risks, in particular the following:

● Loss of control over the use of personal data; ● Loss of confidentiality; ● Inability to exercise rights; ● Re-identification of pseudonymised data; ● Unlawful (further) processing.

It was noted that effective risk mitigation was outside of the users' control and could only be carried out by Microsoft.

"It was noted that effective risk mitigation was outside of the users' control and could only be carried out by Microsoft."The investigation found an unacceptable lack of control by users over the processing of personal data by Office 365 mobile applications. Because of this government organisations were advised to create policies for their employees stating that they were not to use mobile Office 365 applications.

As we shall see in the next part, the investigation by the Dutch authorities into the GDPR-compliance of Microsoft products prompted the European Data Protection Supervisor to announce its own investigation into Microsoft products used by EU institutions.

Recent Techrights' Posts

They Don't Tell Us that 'Digitalisation' (Now Sold as "Hey Hi") Just Means Customers Become Unpaid Staff and Are Made Accountable
People are being conditioned to associate technology with something undesirable, at times even unbearable
Amazon Web Services (AWS) Has Layoffs and Microsoft Gaming/Entertainment Division Has an Uncertain Future
it's good to see all those horrible things crashing and burning
 
Gemini Links 22/07/2025: Thinkpad and Pinephone
Links for the day
Links 22/07/2025: "Blog Restart" and Microsoft Clobbered by “ToolShell"
Links for the day
Global Warming and Global GAFAM Energy-Wasting
Burn more money (borrowed, loans), then hope the waste will somehow translate into profit?
No Compliance With the European Patent Convention (EPC) at the European Patent Office (EPO)
It's about preventing competition against this autocracy
Blue-Collar Trolls vs White-Collar Trolls
Examples of white-collar trolls
Apple Vision Pro Failed So Badly That Its Sales Are About 2,000 Times Smaller Than iPhone Sales
What's left for Apple to offer other than hype?
To Millions of People "Year of the Linux Desktop" Was Some Time in the 1990s (Bootable GNU/Linux as a Complete Operating System is Over 33 in Age)
In some sense, "year of the Linux desktop" was 33 years ago
Make No Assumptions (or Demands) About the Screen Resolution Used by Other People
There are usability aspects, aside from accessibility aspects
Why Wayland (and XWayland) Won't Solve the Key Problem It Proclaims to be Tackling (the Same Is True for Rust)
The problem isn't Wayland per se but the false promises and efforts to force everybody to move to it whilst insulting or demonising everyone who won't play along
Diplomatic Immunity Should Not Exist for Anybody
The EPO in its current form gradually 'normalises' the end of European democracy
Brett Wilson LLP Stopped Sending Me Papers When I Showed It had Sent Me Over 5 Kilograms of Legal Papers
A week ago we lodged our third lawsuit
Microsoft Mass Layoffs and Shutdowns Became the New Normal at Microsoft
Microsoft mass layoffs became a topic of everyday media coverage since May
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, July 21, 2025
IRC logs for Monday, July 21, 2025
FSF "Raised Almost $139,000 During This Summer Campaign"
"Thank you for making a stand against dystopia!"
Gemini Links 22/07/2025: VPS Exploited and Fear of View
Links for the day
LLM Bots vs Techrights
Slows things down a bit
New Publication Sheds Lights on Abuse of Workers at the European Patent Office (EPO)
Put in simple terms, they're killing the Office, harming remaining staff, try to hire rubber-stampers
Links 21/07/2025: Hardware, Health, and Imperialism
Links for the day
Gemini Links 21/07/2025: "When Buying Isn't Owning" and "CMS Special Edition"
Links for the day
Links 21/07/2025: Indie Web and Toxic Politics
Links for the day
[Meme] Microsoft Lawyers Throwing Stones in Glass Houses
threatened me with bankruptcy
Google "AI Overview" is Not AI and Not Overview
do not be misled; what Google does isn't smart, it's just ripping off the sites it already crawled for as long as 27 years
Making the Case to Dump Microsoft and GAFAM for National and Digital Sovereignty
"Sovereignty is difficult"
The Tactics of the Opposition (Microsoft Lunduke): Associate With K00ks, Throw in Vaccines to Muddy the Water
Who stands to gain from this?
Europe's Second-Largest Institution (EPO) and Largest Patent Monopoly Office Needs More Transparency, Not Less Transparency
In the EPO, what good are elections when one candidate literally bribes all the voters?
How Not to Report News About Microsoft
This pattern of misreporting is so widespread that it's hard to believe it's not intentional
Computer Science is Under Attack, They Want Everyone to be a Consumer
If people can no longer acquire Computer Science education and real Computer Science experience, they will not know how to control their own digital destiny or emancipate the very same universities that now control the syllabus and instead of teaching Computer Science encourage the outsourcing of systems
The Best Tools Are the Simplest Tools
There's a hidden message here about the merits of sticking with X
Ofcom Online Safety Group Speaks of Protecting Women Online, Will Brett Wilson LLP Ever Listen?
They've essentially became like the Taliban's "burka police"
Social Control Media Relies on Advertisers, So It'll Always Be Hostile Towards Free Software
Sales, sales, sales
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, July 20, 2025
IRC logs for Sunday, July 20, 2025
Fragmentation of Data
Life is too short to "hoard" data
In Defence of "Spinning Rust"
Just because something is "old" (or older) doesn't mean it ought to become extinct
Using Free Software to Prepare Legal Documents
LibreOffice is openly complaining about OOXML as an obstacle
Tech and Technology Are Not the Same Anymore
"Are you into tech, Sir?"
Our Articles About SLAPPs Receive Recognition and Interest
This week we shall continue writing about the 3 lawsuits we filed
Are You Served?
For many people, advocacy of Free software and GPL enforcement are assumed to be happening
Conspiracy or grooming? Alex Jurado, Voice of Reason compared to Outreachy
Reprinted with permission from Daniel Pocock
Links 20/07/2025: Security Breaches and Former 'Open' 'AI' Engineer on Hype and Culture Issues
Links for the day
Links 20/07/2025: Fending Off BRICS and US Government Attacks Its Own Media (Like China and Russia)
Links for the day
Framed by social control media: Alex Belfield, Voice of Reason
Reprinted with permission from Daniel Pocock
Gemini Links 20/07/2025: Summertime and OCC25 Wrap-up
Links for the day
Jamie Zawinski Complained About Wayland, Then Decided to Give It a Go, Now Complains Again About Wayland
Ask IBM (Red Hat) why it's worth throwing so much away just for Wayland fanaticism
Slopwatch: Planet Ubuntu, LinuxSecurity, and More
former "Linux" blogs which basically became slopfarms
Russia Set to Ban Facebook?
If WhatsApp is made to "leave", that means Facebook or "Meta".
Links 20/07/2025: More GAFAM Lawsuits, Layoffs, and SLAPPs
Links for the day
Taking Stock of a Good and Productive Week
We shall now be taking a break, unpacking the new hard drive (8 TB), and making backups of everything
Nice Recovery (From Actual Fire) by PCLinuxOS, New Version of PCLinuxOS Released, Now Top of DistoWatch
PCLinuxOS is a community-driven distro
More Microsoft Shutdowns That Mostly Slipped Under the Radar
Remember what happened to books 'sold' by Microsoft?
Microsoft Lunduke Still Fighting Cancel Culture With... Cancel Culture
There will be no "winners" in such 'debates'
The History of Daily Links and Politics
"I support Wayland, but I also support abortion..."
Ageism in Tech
Your protocol is "old"...
Microsoft is at 0% "Market Share" in Most Areas
Depending on the taxonomy chosen, there may be dozens of categories other than desktops and laptops
"The moment MSFT stock fails to start tumbling, that’s the beginning of another corporate giant going under."
There are far more layoffs at Microsoft than at Intel, but you would not get this impression based on Wall Street media
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, July 19, 2025
IRC logs for Saturday, July 19, 2025