The decision considers both, but the decision is combining two regulations: one that says you need to get consent before using storage for purposes that aren't 'strictly necessary' (ePrivacy) and another that says how consent for the processing of personal data must be collected (GDPR). This is not the same as a regulation that explicitly says how consent for storage must be gathered, and before this decision it was not clear how the two regulations interacted on this point.
The constraints on use of client-side storage aren't reiterated in the GDPR: they are only in the ePrivacy Directive and the upcoming ePrivacy Regulation. The interaction between the GDPR and ePrivacy was not obvious on this point.
Civil law does not leave room for such creative interpretations. Even if the storage is being done client-side, as long as the company can access and use it, they will be considered to be having that information. Then GDPR will kick in. Note that cookies are also stored client side.
Sorry, I wasn't saying that Microsoft was claiming not to have access to the information. I was saying that the interaction between two different rules was unclear before this decision:
1. The ePrivacy Directive says that before setting anything in client-side storage you must have the consent of the user unless it is strictly necessary for performing an operation requested by that user.
2. The GDPR requires consent from the user before using their personal data in a bunch of different ways, and provides a lot of details on how that consent may be collected to be considered valid.
My interpretation of Microsoft's behavior here is that they were compliant with (1) and (2) individually, but the problem was the way they were collecting consent for (1) did not follow the requirements of (2).
