Following a complaint relating to the conditions for the deposit of cookies on bing.com, the CNIL struck Microsoft Ireland Operations Limited, the search engine’s processing manager, in the portfolio.
On December 19, 2022, the restricted formation of the French regulator for the protection of personal data imposed a fine of 60 million euros against the research platform of the European subsidiary of the computer giant, for not having not put in place a readable and transparent mechanism for accepting or refusing cookies.
After carrying out checks in September 2020 and May 2021, the CNIL found that the deposit of cookies on the user’s terminal is done without prior consent. The regulator also noted “the absence of a button making it possible to refuse the deposit of cookies as easily as to accept it”, as provided for however by the general regulations on the protection of online data.
Three months to raise the bar
The sanction is steep, but the amount of the fine remains below the previous record sanctions pronounced by the CNIL against Google and Amazon.
The CNIL justifies this amount of 60 million euros by “the scope of the processing, by the number of people concerned and by the benefits that the company derives from the advertising revenues indirectly generated from the data collected by the cookies”.
In addition to the administrative fine, the regulator announced that it was also adopting an injunction under penalty so that “the company collects on the bing.com website, within three months, the consent of people residing in France before depositing cookies and trackers for advertising purposes on their terminal”. After this period, the company will have to pay a fine of 60,000 euros per day of delay if it does not comply.
Microsoft had so far passed under the radar of the CNIL for its management of cookies, but not of the European regulatory services. Brussels had launched in May 2021 an investigation into the GDPR compliance of Azure and AWS services.
In another separate investigation, the European Data Protection Supervisor (EDPS) had launched an investigation into the use of Microsoft Office 365 by the European Commission, in relation to the Schrems II ruling. For similar reasons, in France, the deployment of the Microsoft Office 365 solution in schools is under fire from critics.