> The $50 million punishment feels so insubstantial
It's potentially quite a bit more. TFA mentions another two penalties: "three times the total benefits that have been obtained and are reasonably attributable" (~2.5 million customers times $40+ for the difference in subscrptions times three is $300 million), or "30 per cent of the corporation’s adjusted turnover during the breach turnover period" if the preceding can't be reasonably calculated (I'm not going to dig through Microsoft's financial statements, but it's probably substantial.) The greatest of three is taken.
If you still think it's pocket change, the point of fines is not to bankrupt the company, but to lead them to less shitty behavior by disincentivizing the alternative. It takes a persistent effort and time.
It's potentially quite a bit more. TFA mentions another two penalties: "three times the total benefits that have been obtained and are reasonably attributable" (~2.5 million customers times $40+ for the difference in subscrptions times three is $300 million), or "30 per cent of the corporation’s adjusted turnover during the breach turnover period" if the preceding can't be reasonably calculated (I'm not going to dig through Microsoft's financial statements, but it's probably substantial.) The greatest of three is taken.
If you still think it's pocket change, the point of fines is not to bankrupt the company, but to lead them to less shitty behavior by disincentivizing the alternative. It takes a persistent effort and time.