Yes. But there is too few of them, and usually in situations where other companies can still wait and see. "We aren't Facebook", "We are too small to be noticed" and "but we had them sign a waiver" are still prevalent in most companies.

For things to change, there would really need to be something like:

- data protection fines the whole of the customer list of Amazon/Google/MS cloud

- data protection fines a high-profile company a lot of money for using Office365

- a court forces a public institution to cease using Office365 (no fines possible there)

- enforcement accelerates to a point where, from complaint to fine, things take only a few weeks, instead of a few years, so that lots of medium and smaller businesses are hit. Currently enforcement seems to be starting with the big cases, and being bogged down in the complexity of those.

There's nothing wrong with persecuting the large perpetrators first, and only going into the smaller ones once the large get under control. In fact, it's the cost-effective way of doing it.

Besides, the GDPR is not extremely clear, so setting the boundaries in a very public way is a good thing.

> - a court forces a public institution to cease using Office365 (no fines possible there)

AFAIK, in Norway, most fines have been directed at public institutions.

Don't know about Norway. But whether fines apply to public institutions is up to the member states, and most member states, including Germany, have decided not to fine their public institutions for GDPR violations.

> have decided not to fine their public institutions for GDPR violations

Because they’re too Byzantine to make enforcement practicable, or because they’re not seen as a privacy risk (the government in Germany should know lots about you), or something else?

The official argument is that fining public institutions is a game of taking from the right pocket to put in the left pocket. It's the state fining itself. Also, officially, public servants are thought to obey the law as a matter of cause. A certain interpretation of the law can just be made an official order to all subordinate government agencies, and any civil servant disobeying that interpretation is at fault for not performing their duties and treated accordingly.

However, that all leads to the obvious workarounds: the official interpretation is usually the most lenient possible, compliance is put off to some time next century due to lack of personell/budget/willpower. And if something is found to be amiss, the data protection officer may order a government agency to fix whatever is wrong, but can neither fine nor discipline a civil servant. Because disciplining is up to the direct disciplinary superior, which cannot be (due to them being independent) the data protection officer.

So 3 enforcements in Germany in all of 2022, and the highest fine in Germany was 35mil. 35mil is how much for Microsoft? The yearly Office 365 fees of one of their DAX customers?

The possible fine for Microsoft would be 4% of the sales revenue of the whole company, which would amount to 6.8 billion dollars (at 170 billion dollars revenue in 2021)

The big fish all have their EU branches incorporated in Ireland for tax reasons. Filter by Ireland and you'll see some larger fines and some more well-known company names. And even then, it's a well-known contention within the EU that the Irish data protection authority is dragging their feet on investigations and fines because of the "tax reasons" part.

It's nothing, but once one of their customers gets a 5 millioj euro fine for using Office365 for sensitive data, the impact will be significantly higher. Microsoft can take the hit but most of its customers can't.

Microsoft's incompatibility with the GDPR puts some of its customers at risk. A fine or two and businesses might stop paying for those lucrative cloud subscriptions.

This will literally, not figuratively, but -literally- never happen. A smaller business will never be punished as a signal to Microsoft.

A websites using wordpress got fined for including google fonts. Not the organization that provides wordpress using google fonts by default.

Likewise, a company using O365 to store customer or employee data will get in trouble, not Microsoft for offering that service.

That's not what's being discussed. My comment asserts with certainty that a small business will never be punished as leverage against the upstream big corp.

It's not Microsofts fault if customers use it to store GDPR relevant data. It's Microsofts customers using them as an external data processor. It's the companies that are using O356 for such data that will get fined.

The fine is not to send a signal to Microsoft. The fine is a punishment for letting Microsoft process personal information when it's know that they do so in a way that violates the GDPR.

The €100 fine to that one website that included Google Fonts wasn't an attempt to get Google to put Google Fonts in a European holding or whatever. That was never going to happen. It was to punish that website for breaking the law.

Before anything like this will hit the news, there would first be a massive lawsuit that will probably take months or years. I wouldn't be surprised if Microsoft would throw lawyer money to the company involved just to make sure the lawsuit doesn't end setting a precedent against their product.

Never underestimate German courts and their willingness to uphold privacy laws when they get challenged.

even with all it's flaws, I love the EU. 746 million euro fine on Amazon for not respecting data privacy principles

It's not massive at all when you compare the fines to the profits of this companies.