Reading the article, it's the French Data Protection Act, which is the french incorporation of various data privacy laws into french law. Where is your claim that it's based solely on the ePrivacy Directive coming from?
The decision considers both, but the decision is combining two regulations: one that says you need to get consent before using storage for purposes that aren't 'strictly necessary' (ePrivacy) and another that says how consent for the processing of personal data must be collected (GDPR). This is not the same as a regulation that explicitly says how consent for storage must be gathered, and before this decision it was not clear how the two regulations interacted on this point.
The constraints on use of client-side storage aren't reiterated in the GDPR: they are only in the ePrivacy Directive and the upcoming ePrivacy Regulation. The interaction between the GDPR and ePrivacy was not obvious on this point.
Civil law does not leave room for such creative interpretations. Even if the storage is being done client-side, as long as the company can access and use it, they will be considered to be having that information. Then GDPR will kick in. Note that cookies are also stored client side.
Sorry, I wasn't saying that Microsoft was claiming not to have access to the information. I was saying that the interaction between two different rules was unclear before this decision:
1. The ePrivacy Directive says that before setting anything in client-side storage you must have the consent of the user unless it is strictly necessary for performing an operation requested by that user.
2. The GDPR requires consent from the user before using their personal data in a bunch of different ways, and provides a lot of details on how that consent may be collected to be considered valid.
My interpretation of Microsoft's behavior here is that they were compliant with (1) and (2) individually, but the problem was the way they were collecting consent for (1) did not follow the requirements of (2).
When the permission is withdrawn, the other party cannot collect more data. And the existing data that they collected would need to be deleted if the user asks them to. If the withdrawal of permission also involves permissions regarding data storage and processing, it would mean that the company would need to destroy any personal data that they have.
If withdrawing is meant to be “undo consent”, how would you make that as easy as the initial “one click to consent”? Would you not have to show a banner on every page view, with a one click option to “withdraw”?
You'll have to go and ask the legislators what they were imagining. Thankfully it's not being interpreted quite as literally. Sometimes pragmatism saves the day.
Where do you see that in the ePrivacy Directive?