On December 22, 2022, France’s National Commission for Technology and Freedoms (“CNIL”) fined Microsoft’s Irish subsidiary 60 million euro for failure to comply with Article 82 of the French Data Protection Law (known as the “Loi Informatique et Libertés”). Article 82 is France’s implementation of the EU’s ePrivacy Directive, and it generally requires that any subscriber or user of an electronic communications service be informed in a clear and complete manner by the website operator of two things: (1) The purpose of any action tending to access, by electronic transmission, information already stored in its electronic communications terminal equipment, or to enter information in this equipment (aka, in part, “cookies”); and (2)The means at the user’s disposal to oppose it.
In settling on a 60 million euro fine, the CNIL states it reviewed the scope of the processing, the number of data subjects, and the profits the company made from advertising profits indirectly generated from the data collected via cookies. In addition to the administrative fine, Microsoft was ordered to become compliant with Article 82 within three months, otherwise the company may be required to pay a penalty of 60,000 euros per day thereafter.
The CNIL action is a reminder that analytical tools remain in the crosshairs, and companies should carefully weigh the risks and value when setting up their consent and notice mechanisms.