On 22 December 2022, the French Data Protection Authority (“CNIL”, “French DPA”) fined the tech industry giant MICROSOFT IRELAND OPERATIONS LIMITED (“Microsoft”, “Company”) EUR 60,000,000. The fine is a result of an investigation carried out by CNIL, which revealed that the Company’s search engine Bing automatically deposited cookies, some of which included cookies used to fight against advertising fraud, prior to obtaining the data subject’s consent. As advertisement cookies require explicit data subject consent, the French DPA found this a violation on Microsoft’s end.
Violations concerning Microsoft’s cookie practices were also established in the process of obtaining consent. As explained by the authority, two clicks were needed to refuse all cookies, while only one was needed to accept them. This is not the first time the French DPA issues fines for violations of this nature. In January of 2022, CNIL fined Google EUR 150,000,000 and Facebook EUR 60,000,000 million for making it too confusing for users to reject cookies.
In the context of learning from past mistakes, practice of data protection authorities is not the only source of material encouraging improvement. As seen from the fine issued by the Polish Data Protection Authority (“Polish DPA”), the list of sources for this purpose may also include risk assessments.
The fine is a result of a break in, during which a laptop of an employee of a mayor was stolen. The mayor had kept adequate documentation since the beginning of the application of the GDPR and had performed a risk assessment, therefore was aware of the areas that had to be improved to ensure the security of processing by using portable computer devices. As a result of the personal data breach the controller took steps to avoid similar incidents in the future by encrypting laptop hard drives. This said, it was only after the data breach occurred that the controller complied with the results of its own risk assessment and the risk management specified therein.
What can we take from this?
Reviewing common practices and implementing changes within your own environment is undeniably essential regarding data protection compliance. In the case of Microsoft, the violations found by the French DPA were identified in other high-profile fines almost a year prior. In the case of the second fine, the identified deficiencies were found during a risk assessment and were not eliminated in a proper timeline.
In both of the reviewed cases, knowing what the current data protection practices were, identifying the aspects that require improvement, and implementing said things would have prevented the violations.
How to achieve this?
ECOVIS ProventusLaw welcomes you to our free monthly review of the most relevant GDPR fines. The review aims to introduce you and your staff to real-life examples of GDPR violations and provide advice on avoiding making similar mistakes.
You can access the monthly GDPR fine overviews.
The content of this article is intended to provide a general guide to the subject matter. If you need assistance regarding the specific situation related with GDPR compliance, or any other question related to personal data protection, please consult the experts of ECOVIS ProventusLaw.
This review was prepared by internationally certified ECOVIS ProventusLaw data protection expert Milda Šlekytė and junior associate Julija Ginotytė
Newsletter Subscription
Get in touch