European Commission broke its own data privacy law with Microsoft 365 use The European Commission has been reprimanded for infringing its own data protection regulations when using Microsoft 365. The rebuke came from the European Data Protection Supervisor (EDPS) and is the culmination of an investigation that kicked off in May 2021, following the Schrems II judgement. According to the EDPS, the EC …
Well, it's absolutely not ideal that a top EU institution can't follow EU rules...... BUT, I have to say, it's unlikely this gets kicked into the long grass. They will, at the very least, have to build themselves a bodge / fig-leaf cover that demonstrates compliance. And since now that they have been exposed, the usual suspects (Schrems et al, but also the European Data Protection Commissioner) will be keeping a close watch, it's more probable that they will have to fix it properly (even if reluctantly)
I'm not convinced.
This is the same lot that has mandated black boxes in cars and is trying to work out how to make reporting of speeding mandatory without causing an uproar, so don't tell me they're truly invested in privacy for OUR benefit - it's more about political leverage.
" mandated black boxes in cars and is trying to work out how to make reporting of speeding mandatory "
The EU's record on privacy is usually such that reporting on speeding would fall foul of a bunch of directives, and there certainly isn't the political climate for anybody to be able to force through any such thing. In fact, 10 seconds googling shows the limits of what these black boxes are recording:
"The device records certain parameters for a short period of time – five seconds before the crash and 0.3 seconds after the impact. According to the documentation provided by the European Commission, an EDR records and stores the following data: speed, braking, the position and tilt of the car on the road, and how the built-in safety systems react."
and
"The information recorded by the EDR belongs to the driver or the vehicle's owner. The device operates on a closed-loop system, and the data is gathered anonymously to ensure it's not subject to manipulation if it falls into the wrong hands. For the same reason, the last four digits of the vehicle identification number (VIN) are not stored."
(source - https://www.motor1.com/news/706396/black-box-europe-mandatory-july-2024/)
You can't bring facts to an argument where the EU are concerned.
Personally I'd be all for automated speed restrictors, and black box speed recording. If you don't want to pay the fine, simply abide by the posted speed limit.
You'll have pretty good evidence of whether or not the speed limit was posted if the black box records that the car didn't see a speed limit sign...
"Yeah, I hope you never have a kid with a life threatening condition. Context matters."
I've had a kid in special care... context matters.
There are a few options
- Call a fucking ambulance to get the support you need as fast as possible.
- Drive within the law to get to the hospital
- Decide that a fine is worth paying and speed
That third is always an option - despite my vehicle having a speed limiter, which I always have enabled, all I need to do is either manually adjust the setting (using a stalk control) or floor it.
Having the speed limiter enabled by default doesn't mean that it can't be overridden, but you'd better have a damned good reason for doing so.
If we had ambulances near where I lived that would get there in time I would have preferred that option (immediate care while en route, for instance, is much better and they have a priority status in traffic), but that was the problem - there weren't any. So in the end I took every extra driving class I could get my hands on and hoped I never needed it, but I did - three times in total.
There's one features in A&E that tells you how urgent your case it - if the triage nurse takes one look at the kid and immediately calls a doctor you know it's serious.
I prefer to pay a fine in that case.
BTW, if you have a speed limiter and you can disable it, it it then really a limiter? I normally drive withing the limits all by myself - I reserve speeding for when it's needed (and no, being late for work is IMHO not a need :) ).
Ambulance availability is indeed critical - but that "on site" care is a winner whenever it's available, even if that's from a first responder who can usually get there pretty fast.
"There's one features in A&E that tells you how urgent your case it - if the triage nurse takes one look at the kid and immediately calls a doctor you know it's serious."
And when the reception nurse puts the patient straight into a bed without even calling the triage nurse - it's really serious.
"I prefer to pay a fine in that case."
Agreed, which is why that human control is important. Particularly given that it's far less dangerous to do 90 on a motorway than it is to do 30 or 40 in a town centre - choosing *where* to pick up time is a critical judgement call.
"BTW, if you have a speed limiter and you can disable it, it it then really a limiter?"
Yes - it's a "default cap", eliminates any concern about speed cameras without me having to think about it, and often I find that I'm manually holding a speed that's just one or two mph below the posted limit, because that's what feels like a safe speed. The point is that you have to make an active decision to speed, rather than just having your foot gradually slip down the accelerator - Call it an idiot check, but I make those all the time at various points in my day - "Do I have my bag, and my phone, and my keys" idiot check, but a manual one.
Having the limiter be controllable also means that on the occasions when something isn't correctly picked up (for instance there is a temporary works limit at a junction near me at the moment, and as I turn between roads at the junction my car thinks the default speed limit applies on the new road, when it's still within the temporary limit) then you can override it - whether that's down or up.
Stupidly I can't tell the car that I want the speed limiter to be the default setting, it always defaults to cruise control, so if I engage it without changing the setting first the car sets off to the speed limit...
Far better to have cruise control be the thing I need to set up manually - or just let me choose which is the default.
"I'd be all for automated speed restrictors, and black box speed recording. "
I absolutely wouldn't, for 3 very important reasons:
a) Vehicle recognition of speed limit signs is sketchy. My car very often interprets off-ramp / side road speed limits as belonging to the main road I'm driving on. Vehicle/ GPS knowledge of speed limits is also sketchy, seeing that it has no knowledge of roadwork-related temporary restrictions, nor to changes in local speed limits (in some cases even years after the change)
b) even if sometime in the next decade or 2 the functionality of sign recognition and the mapping information update frequency drastically improves, it's still dependent on humans making weird speed limit choices. I've driven along countless narrow mountain roads with a limit of 80km/h when driving anywhere near that would be suicidal, and countless others where no doubt some local council busybody has imposed a 30km/h limit on a wide straight stretch with good visibility and no pedestrian usage. There is zero chance that this will ever be fixed, because human nature.
c) accident recording can be set to have a short buffer of a few seconds with the data overwritten every time. Speed recording means continuous recording of the whole journey, and because speed on it's own is meaningless without knowing the limit and therefore the location, it means a continuous permanent record of the location of every car, which is completely unacceptable..
Automated doesn't mean "imposed".
Copying from a post I just made in response to someone else:
"BTW, if you have a speed limiter and you can disable it, it it then really a limiter?"
Yes - it's a "default cap", eliminates any concern about speed cameras without me having to think about it, and often I find that I'm manually holding a speed that's just one or two mph below the posted limit, because that's what feels like a safe speed. The point is that you have to make an active decision to speed, rather than just having your foot gradually slip down the accelerator - Call it an idiot check, but I make those all the time at various points in my day - "Do I have my bag, and my phone, and my keys" idiot check, but a manual one.
Having the limiter be controllable also means that on the occasions when something isn't correctly picked up (for instance there is a temporary works limit at a junction near me at the moment, and as I turn between roads at the junction my car thinks the default speed limit applies on the new road, when it's still within the temporary limit) then you can override it - whether that's down or up.
That deals with point a and b.
For point c - it doesn't need to be permanently recorded - it only needs to record infractions, in the same way it only records accidents. Maybe with an additional one or two item buffer of the latest visual and mapping based limit changes.
And yes, on the occasion that all the ambulances are on fire and I need to get a critically ill child to hospital I'll happily break the speed limit at various places en route, and have no interest in blocking that. But the speeding is then a _deliberate_ choice, not a casual "overran the speed limit down this hill" issue - and *that*, along with rigorous enforcement, would be a massive win.
That's the headline takeaway, but the ownership of the information is more subtly layered than that:
– with the owner’s consent;
– in response to a court order or probable cause of an offense;
– for improving vehicle safety by auto dealers and auto technicians seeking to repair a vehicle,
– for public authorities when data shall be anonymised.
And also:
- Access to EDR data is generally under the control of the vehicle owner, since the physical interface for the device is inside the vehicle. However, it is possible to transmit the data, if the vehicle is so equipped.
- Vehicles with Advanced Automatic Crash Notification systems transmit EDR information to a central location when software in the vehicle determines that a crash has occurred, based on data from the EDR.
- In vehicles with wireless data transmission capabilities, it would be possible to have regular or continuous transmission of EDR data
https://www.europarl.europa.eu/cmsdata/158076/2018_11_29_wiewiorowski_event_recorders.pdf
makes interesting reading, EDR from p15
No matter how often MS say they are but they are not
Best part is MS Purview AME
They are trying to convince people that their email encryption conforms to GDPR.
They are lying through their teeth.
Apart from that, you are opening up your date and information not only to Microsoft but to American espionage.
I know it all sounds like conspiracy but....
Anyway.
Anyone with a little bit of common sense and some legal experience will understand...
Besides:
For instance the chief federal dataprotection officer of Germany has publically stated that O365 is not legal in regards to GDPR (DSGVO in Germany)
Sure, then you combine OVH (home of many hackers as far as my logfiles tell me) with MS, home of the worst vulnerabilities in the industry (OK, Adobe is trying hard to surpass them but they're not there yet).
Doesn't strike me as a wise move, but you do save the people who want in a lot of bandwidth :)
By now it should be abundantly clear that the US Big Tech companies not only don't care about data protection but are built around a business model that make them actively hostile to it; anyone taking data protection seriously can't but ditch them. Instead of fraternizing with the enemy (of data protection) the Commission should be busy looking for and pushing alternatives* which would also have the benefit of increased strategic independence: it is hardly ideal to depend on a de-facto monopoly, much worse if that is a foreign one ultimately under the thumb of an unpredictable government that may very well turn hostile (at the next election).
* The obvious ones would be the existing free / open source projects; a practical policy example would that public monies in the EU could only be used to buy hardware that can run a free & open source OS (such as Linux for PCs or AOSP for phones and tablets)
Unfortunately the forward directions are "don't start from here".
We needed to start from 20 years ago when it was patently clear that MS had a policy of "intertwine everything with everything else, keep changing the undocumented interfaces/formats, and actively block out any possible competition". And people walked* blindly into the trap, even though some of us could see the problem and were warning about it.
Sadly, there really isn't anything around now that could give MS a decent challenge - there's just too wide a breadth of intertwinement of complex tools, and of course some deliberate "non-compatibility" measures such as needing the correct encryption keys to interoperate with AD and even DNS - but those not being available outside of the MS stack.
* I nearly left the typo (s/n/l/) in there as it would have been slightly appropriate to the topic.
Like that would make any difference. If you recall, there were moves to require all documents be in an open standard format - so logically Open Document Format which was a "clean", logical, and well documented format supported by everything but MS (MS had, and still has, token but broken support for it).
What happened ? Well MS put it's own "Office Open" format forward for ISO approval, and had to stuff no end of national standards bodies with shills to push it through. I recall looking at it at the time, it's a turd wrapped in a turd, and barely given a polish. It explicitly eschews referring to other standards (e.g for country codes, date/time formats, yada, yada), instead using it's own incompatible ones - and even codifies bugs in it's own software ! Some bits (e.g. "binary blob in Word 97 format") are unimplementable by third parties, and AFAIK there is no independent test suite.
But it's now a "standard" so MS simply paid to get around the requirement to support open standards.
Mandate support for FOSS and they'll simply do the same - for example, lookup Tivo and the lengths they went to with their PVR. It technically supports FOSS (uses a Linux kernel) and would tick the box, but in practice you cannot change any of the software running on it.
It would requite funding and, most importantly the political will to do so, but it is doable, and worth it.
Unfortunately, the political ruling class is completely disinterested in this. And so is the electorate failing to punish them for this incompetence at the voting booth.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
