The GDPR governs consent for processing of _personal data_. Generally, anonymized data is not personal.
The author attacks the anonymization method, but that is a thin branch to stand on. In particular, given how GDPR is very much about usage, Microsoft helps substantiate their anonymization simply by not attempting to deanonymize.
See eg Art 7,
> Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
And Recital 26
> The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
No, read the description. To be personal data for the purposes of the GDPR, it must be related to an identifiable natural person (ie not a corporation). I don’t see how Microsoft could relate a MAC address to a natural person.
The GDPR governs consent for processing of _personal data_. Generally, anonymized data is not personal.
The author attacks the anonymization method, but that is a thin branch to stand on. In particular, given how GDPR is very much about usage, Microsoft helps substantiate their anonymization simply by not attempting to deanonymize.
See eg Art 7,
> Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
And Recital 26
> The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.