Microsoft revealed it was subject to a draft GDPR enforcement decision involving a $425 million fine in a message to investors posted on 1 June (and updated 8 June). Here’s what we know about Microsoft’s draft fine so far.

Microsoft’s statement

Microsoft’s short statement, published on the “investor relations” page of its website, discloses little about the fine. Here’s what we know based on the statement:

• The Irish Data Protection Commission (DPC) began an investigation into LinkedIn (which Mircosoft acquired in 2016) in 2018, shortly after the GDPR took effect.
• The Irish DPC presented Microsoft with a “non-public” and “preliminary” draft decision in April 2023.
• The alleged GDPR violations involve targeted advertising.
• The decision comes with a fine equivalent to $425 million (approximately €389 million).
• Microsoft “dispute(s) the legal basis for, and the amount of, the proposed fine”.

Microsoft’s statement appears to be the only publicly-available information about the fine. The Irish DPC does not appear to have mentioned its investigation into LinkedIn, either before or after Microsoft gave its statement on 1 June.

The amount of the fine

We know that Microsoft has reserved $425 million (approximately €389 million) to pay the fine associated with this decision.

The GDPR allows for fines of up to €20 million or 4% of a controller’s annual worldwide turnover for some infringements, and up to €10 million or 2% of annual worldwide turnover for other infringements.

The data controller for LinkedIn users in the EU, European Economic Area (EEA), and Switzerland is LinkedIn Ireland Unlimited Company (“LinkedIn Ireland”), rather than Microsoft.

In a report to the US Securities and Exchange Committee (SEC), Microsoft declared LinkedIn’s revenue as $13.8 billion (approximately €12.64 billion) in 2022.

As such, if this fine is levied directly against LinkedIn, it would constitute around 3% of the company’s annual worldwide turnover—a relatively large fine.

For context, Meta recently received a €1.2 billion (approximately $1.3 billion) GDPR fine – the GDPR penalty largest of all time, but only representing around 1.1% of its $116.8 billion global turnover for 2022.

However, the GDPR requires data protection authorities to impose fines against a controller’s parent company in certain circumstances.

The Irish DPC has taken this approach in its fines against WhatsApp, which were calculated with reference to the turnover of WhatsApp’s parent company, Meta Platforms Inc.

LinkedIn represents a small fraction of Microsoft’s overall turnover.

If the fine is calculated against Microsoft’s revenues, rather than LinkedIn’s—which seems likely, given Microsoft’s corporate structure—it would represent around 0.2% of Microsoft’s annual global turnover, which stood at $198.2 million (approximately €181.5 billion) in 2022.

The alleged violations

The Irish DPC’s preliminary decision reportedly concerns alleged violations of the GDPR’s rules on targeted advertising.

The GDPR is not the only EU law governing ad targeting. Advertising technologies such as cookies, and other similar technologies that store or access information on a person’s device are regulated under the ePrivacy Directive.

However, the GDPR covers some aspects of online advertising, insofar as advertising activities involve the processing of personal data.

The fact that the Irish DPC is finning LinkedIn under the GDPR, rather than Ireland’s implementation of the ePrivacy Directive, suggests that LinkedIn’s alleged violations involve how the company processes personal data for the purposes of targeting ads.

LinkedIn’s Cookies Policy lists 37 cookies used for personalized advertising. Many of these cookies are provided by third parties, such as Facebook, Adobe, and Twitter.

LinkedIn appears to set some or all of these cookies on an “opt-out” basis, which could be problematic based on the ePrivacy Directive’s consent requirements and the GDPR’s definition of consent.

However, in addition to its use of cookies, LinkedIn uses personal data for ad-targeting in several other ways. The company’s Privacy Policy describes the use of profile information, on-platform behavior, and third-party data for the purposes of delivering ads.

LinkedIn appears to rely on “legitimate interests” for delivering some targeted ads. LinkedIn’s other lawful bases for processing personal data are not immediately clear from the company’s Privacy Policy.

The Irish Data Protection Commission

The Irish DPC regulates GDPR compliance among most of the world’s “big tech” companies, with the European headquarters of Alphabet (Google), Apple, Meta (Facebook, Instagram, WhatsApp), and TikTok all registered in Ireland alongside Microsoft.

The Irish DPC has faced repeated criticism for its allegedly lax approach to GDPR regulation.

The regulator has imposed several large GDPR fines, notably against Meta. However, these fines have been subject to the GDPR’s “dispute resolution” process, whereby other data protection authorities can force a regulator to change draft findings or increase penalties.

As part of one recent decision subject to this dispute resolution process, the Irish DPC was forced to order Meta to stop relying on “contract” as its legal basis for targeting certain ads on Facebook and Instagram.

It’s not clear whether LinkedIn uses “contract” as a legal basis for ad targeting. However, if so, the Irish DPC is likely to follow its own precedent in this area, which would require LinkedIn to reconsider its legal basis for targeting ads.

Microsoft has indicated that it will take a charge of $425 million in the fourth quarter of the fiscal year 2023—but states that there is “no set timeline” for the Irish DPC to finalise its decision.