The Irish Data Protection Commission (DPC) has imposed a €310 million fine on LinkedIn Ireland for GDPR violations related to the processing of personal data for behavioral analysis and targeted advertising. The decision, announced earlier today, comes after a lengthy investigation into LinkedIn’s practices following a complaint from a French non-profit.
The DPC's inquiry, initiated in August 2018, scrutinized how LinkedIn processed both first-party data from its users and third-party data obtained via partners. The investigation revealed that LinkedIn's reliance on consent, contractual necessity, and legitimate interest as lawful bases for its data processing was invalid. Specifically, the DPC found that LinkedIn did not adequately meet GDPR standards regarding consent and transparency, and that its users’ rights outweighed LinkedIn’s interests.
LinkedIn, the professional networking platform owned by Microsoft, has around 950 million members worldwide. In this case, the DPC, acting as the lead supervisory authority under the GDPR’s cooperation mechanism, worked alongside other EU/EEA data protection authorities. The regulatory body concluded that LinkedIn’s data practices failed to ensure fairness and transparency, and violated several articles of the GDPR, including Articles 6 and 5(1)(a), which mandate lawful and fair processing of personal data.
The DPC outlined three key areas of non-compliance in its ruling:
- LinkedIn’s consent from users for behavioral analysis and targeted advertising was deemed not freely given, specific, or informed.
- LinkedIn's claim of legitimate interest in processing personal data was overruled by users' fundamental privacy rights.
- The platform did not meet GDPR requirements for informing users about data processing bases under Article 6, including consent and contractual necessity.
As part of its enforcement, the DPC issued LinkedIn a formal reprimand, mandated changes to its data processing practices, and levied the €310 million fine, one of the largest imposed for GDPR breaches to date. The ruling emphasizes the significance of transparency and fairness in data handling, particularly when personal data is used for advertising purposes.
LinkedIn is required to revise its data processing activities to comply with the GDPR, ensuring that future user data collection for advertising purposes is done with valid legal justification and full user awareness. The full details of the DPC’s decision will be published soon, providing further insights into the specific corrective measures that LinkedIn must implement.
In a comment for CyberInsider, LinkedIn stated: “Today the Irish Data Protection Commission (IDPC) reached a final decision on claims from 2018 about some of our digital advertising efforts in the EU. While we believe we have been in compliance with the General Data Protection Regulation (GDPR), we are working to ensure our ad practices meet this decision by the IDPC's deadline.”
