Microsoft and Privacy Enforcement: Has the Tech Giant Got Off Light?

In early June, Microsoft shared details of an incoming GDPR fine from the Irish Data Protection Commission (DPC) for which the company has put aside $425 million (around €390 million).

In early June, Microsoft shared details of an incoming GDPR fine from the Irish Data Protection Commission (DPC) for which the company has put aside $425 million (around €390 million).

Microsoft is the largest software company in the world, with its products used on practically every desktop computer and nearly a billion users of its business-focused social network, LinkedIn.

This draft fine would be Microsoft’s first under the GDPR. But the company has dealt with data protection and privacy enforcement before—and so have several organisations that used Microsoft products.

The Draft LinkedIn Fine

Data protection observers were taken by surprise when Microsoft quietly announced a fine of nearly half a billion dollars on the “investor relations” page of its website on 1 June.

The tech giant’s message to investors was the first hint of an investigation that has apparently been underway for over five years. But the statement revealed little about the fine—except that it relates to ad-targeting on LinkedIn and is at the “preliminary draft” phase.

Microsoft acquired LinkedIn in 2016. The social network’s privacy notice appears not to fully disclose how it justifies processing data for ad-targeting purposes.

Yet advertising makes up a significant portion of LinkedIn’s revenues, declared as $13.8 billion (around €12.64 billion) in 2022.

The Irish DPC’s draft fine would constitute around 3% of that figure—a high proportion, given the GDPR’s 4% fine ceiling for the most serious violations.

But LinkedIn’s parent company has a far higher turnover. If—as is likely—the $425 million fine was calculated as a proportion of Microsoft’s revenues, it would amount to 1.1% of the company’s $116.8 billion (around €106.5 billion) 2022 global revenues.

Microsoft denies any wrongdoing and claims that the Irish DPC’s allegations are wrong both on the law and on the facts. But even if the DPC proceeds with the decision, the process of recovering any penalty could take several more years.

The Luck of the Irish (Subsidiaries)

Like practically every “big tech” corporation, Microsoft has chosen Ireland as its “main establishment” in the EU.

This means the Irish DPC is responsible for regulating Microsoft’s GDPR compliance—along with Apple, Google, Meta, TikTok, Twitter, and other data-hungry enterprises.

(Amazon is the notable exception—the company runs its European operations from a subsidiary based in Luxembourg, whose data protection regulator handed the company a €746 million GDPR fine in 2021).

As such, it’s perhaps unsurprising that Microsoft has yet to feel the brunt of GDPR enforcement. The Irish DPC has faced criticism from many quarters for its alleged lack of action on data protection.

The Irish Council of Civil Liberties (ICCL) recently accused the DPC of creating a GDPR “crisis”—and even the head of Germany’s federal data protection authority once criticised the DPC’s “extremely slow case handling”.

Ireland has issued many of the largest GDPR fines of all time—including its recent €1.2 billion penalty against Meta. 

But in almost every major case, the DPC has been initially reluctant to impose harsh sanctions, and fellow members of the European Data Protection Board (EDPB) have forced the Irish regulator’s hand.

(And despite consistently denying any tension between Ireland and other EDPB members, the DPC is taking the EU body to court after the EDPB ordered the DPC to carry out a “problematic” investigation into Meta’s data processing activities earlier this year).

Xbox COPPA Concerns

Microsoft’s privacy practices have also recently come under scrutiny across the Atlantic.

The US Federal Trade Commission (FTC) announced a proposed privacy order against Microsoft in early June—just a few days after the company told investors about its incoming GDPR fine.

The FTC’s order relates to Microsoft allegedly violating the federal Children’s Online Privacy Protection Act (COPPA) via its Xbox Live gaming product.

COPPA was enacted in 1998 and requires certain companies to notify and request consent from parents before collecting personal information from children under 13. The law was updated in 2011 with new data retention and erasure rules. 

When people sign up for Xbox Live, Microsoft asks them for certain personal information, including their age. If the user says they’re under 13, Microsoft will suspend the account creation process while the child asks a parent or guardian to provide consent.

But the FTC alleged that between 2015 and 2020, Microsoft had been retaining children’s data—”sometimes for years”—even after no parent had consented.

The FTC found that this violated COPPA’s requirement to store children’s data for no longer than necessary for a specific purpose. Microsoft also allegedly failed to notify parents of all the types of personal information it collects, such as children’s profile pictures.

The US regulator’s order against Microsoft comes with a small penalty ($20 million, or around €18.2 million)—and requires the company to adopt new data deletion processes, notify video game companies if a user is under 13, and obtain parental consent for existing child users.

Bing’s Cookie Compliance

While the Irish DPC’s draft LinkedIn fine would be the first that Microsoft has received under the GDPR, the company did get a €60 million privacy-related penalty in late 2022 from the French data protection authority, known as the “CNIL”.

The CNIL is arguably the EU’s most active regulator when it comes to cookie and online advertising violations. In mid-June, the CNIL imposed the largest GDPR fine ever issued against a non-US company—€40 million against adtech firm Criteo.

Microsoft’s alleged violations related to its search engine, Bing, and were pursued by the CNIL under France’s implementation of another EU law, the ePrivacy Directive.

The CNIL took issue with how Microsoft was tracking people via Bing. The website reportedly set two “non-essential” cookies—used for purposes including advertising and fraud prevention—without obtaining people’s consent.

The ePrivacy Directive comes with smaller fines than the GDPR. But because France empowered the CNIL to issue GDPR-level penalties for ePrivacy violations, so French cookie fines often reach tens of millions of euros.

And unlike the GDPR, which requires regulators to forward some data protection complaints to a company’s “lead supervisory authority” (Ireland, in Microsoft’s case), any EU data protection authority can enforce the ePrivacy Directive.

As such, many of Europe’s largest internet-related fines—including against Ireland-based companies like Google, Meta, and Apple—have been imposed by the CNIL under its implementation of the ePrivacy Directive rather than the GDPR.

Microsoft as a Service Provider

We’ve looked at three data protection and privacy cases pursued directly against Microsoft. This is a relatively small number, given the omnipresence of Microsoft’s properties and the quantity of data the company processes.

But despite this somewhat spotty enforcement against Microsoft itself, the company’s name frequently arises during GDPR investigations concerning other organisations.

In 2019, for example, a regulator in Germany banned the use of Microsoft’s Office 365 product by schools over concerns about students’ data being accessible to the US government.

And this May, the Finnish data protection authority sanctioned a school district for using Office 365, finding that the product exposed students’ personal data to an excessive number of people by default.

Microsoft is also mentioned repeatedly throughout investigations by the European Data Protection Supervisor (EDPS) and the EDPB into the use of cloud services by EU institutions and public sector bodies.

The message from such cases is clear. 

Companies using Microsoft’s products may be liable any data protection infringements that occur when this software shares data with Microsoft.

Microsoft collects large amounts of personal data—sometimes for its own purposes—and often stores that data in the US. 

So despite the tech giant’s ubiquity, European companies should think carefully before using Microsoft as a service provider.

We hope this guide was helpful. Thank you for reading and we wish you the best of luck with improving your company’s privacy practices! Stay tuned for more helpful articles and tips about growing your business and earning trust through data-protection compliance. Test your company’s privacy practices, CLICK HERE to receive your instant privacy score now!