The Irish Data Protection Commission (DPC) has imposed a €310 million fine on professional networking platform, LinkedIn, following an inquiry into the platform’s handling of personal data for behavioral analysis and targeted advertising.
The DPC, acting as LinkedIn’s lead supervisory authority under the General Data Protection Regulation (GDPR), launched the investigation after receiving a complaint from the French Data Protection Authority.
The decision, made by Data Protection Commissioners Dr. Des Hogan and Dale Sunderland and finalized on October 22, 2024, highlights serious breaches of GDPR concerning the lawfulness, fairness, and transparency of LinkedIn’s data processing practices.
In addition to the substantial fine, LinkedIn has been ordered to bring its data processing activities into compliance with GDPR standards.
Key GDPR violations
In a statement issued by DPC on Thursday, the regulator said its inquiry found that LinkedIn failed to obtain valid consent from users for the processing of their personal data for behavioral analysis and targeted advertising, thereby violating Article 6(1)(a) of the GDPR.
- It added that the consent obtained was neither freely given nor sufficiently informed or specific, violating the fundamental rights of users.
- In violation of Article 6(1)(f) of the GDPR which bothers on legitimate interests, the DPC said LinkedIn unlawfully processed members’ data for advertising purposes, claiming it was for legitimate interests.
- However, LinkedIn’s interests were overridden by the fundamental rights of its users, rendering the processing illegal.
- According to the regulator, LinkedIn improperly relied on the provision of Article 6(1)(b) of the GDPR on contractual necessity to justify the processing of members’ data for behavioral analysis, which the DPC determined was not necessary for fulfilling user contracts.
- The DPC said it also found LinkedIn in violation of Articles 13(1)(c) and 14(1)(c) for not providing clear information to users about the legal bases it relied on for data processing.
DPC’s stance on data protection
Graham Doyle, Deputy Commissioner of the DPC, emphasized the importance of lawful data processing in safeguarding user rights stating:
“The lawfulness of processing is a fundamental aspect of data protection law, and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subject’s fundamental right to data protection.”
As part of the ruling, LinkedIn has been instructed to reform its data processing practices to ensure compliance with GDPR requirements.
What you should know
The decision by the DPC is the latest in a series of high-profile regulatory actions by data protection watchdogs all over the world.
In July, Nigeria’s Federal Competiton and Consumer Protection Commission (FCCPC) and the Nigeria Data Protection Commission (NDPC) imposed a $220 million fine against Meta Platforms Incorporated following a joint investigation into the company’s conduct, privacy policies, the operation thereof, and practices between May 2021 and December 2023.
The final order highlighted Meta’s alleged infringements to include, denying Nigerian data subjects the right to self-determine; unauthorized transfer and sharing of Nigerian data-subjects personal data, including cross-border storage in violation of then, and now prevailing law; discrimination and disparate treatment and abuse of Dominance.
