LinkedIn has been fined €310 million by the Irish Data Protection Commission (DPC) for violating the General Data Protection Regulation (GDPR) of the EU for using registered users’ personal information for marketing and analysis. The ruling came after the DPC opened an investigation in response to an initial complaint filed in August 2018 by a French non-profit organisation to the French Data Protection Authority.
Since LinkedIn’s EU commercial operations are based in Ireland, the DPC, which serves as the primary supervisory authority for the company, took the lead on the inquiry. The investigation looked at how LinkedIn processed user data for behavioural analysis and targeted advertising to individuals who had set up LinkedIn profiles. The personal information in concern included information that members of LinkedIn directly submitted to the platform as well as information that LinkedIn acquired about its members through third-party partners.
The ruling addresses the processing of this data in terms of its legality, equity, and openness. The DPC mandated that LinkedIn pay an administrative fee of €310 million and comply with GDPR regulations regarding its processing.
Nicola Barden, a Data Protection Law Specialist at Pinsent Masons in Dublin, made the following observation: “The decision focuses on basic data protection requirements that all controllers should comply with, and regulators tend to take a strict approach to this type of processing.”
The DPC concluded that LinkedIn’s use of its members’ third-party data for behavioral analysis and targeted advertising did not legitimately rely on GDPR article 6.1. The GDPR’s Article 6.1 specifies the necessary legal justification for processing personal data. Consent, contractual need, or justifiable interests may serve as the legal foundation.
LinkedIn’s users’ consent was “not freely given, sufficiently informed or specific, or unambiguous,” according to the DPC. Additionally, it concluded that LinkedIn could not rely on an overriding interest since its interests “were overridden by the interests and fundamental rights and freedoms of data subjects,” and that there was no contractual requirement for the processing of pertinent data.
The DPC concluded that LinkedIn lacked a legitimate reason to process data. The basic right of data subjects to data protection is violated when personal data is processed without a valid legal basis. The DPC discovered that LinkedIn had violated the GDPR’s Article 5(1)(a) fairness principle.
Continuing, it states that processing personal data cannot be harmful, discriminatory, unexpected, or deceptive to the data subject.
According to Barden: “The decision puts other controllers on notice that if they are undertaking behavioural analysis or targeted advertising, they have to have a very clear lawful basis that meets the requirements under data protection legislation.
“They also need to ensure that their lawful basis is set out in its public-facing privacy notice. Controllers relying on vague lawful bases and notices, will not meet the DPC’s expectations,” he added.
Andreas Carney, a partner at Pinsent Masons with a base in Dublin had this to say: “The GDPR compliance points that are the focus of the DPC’s findings also reflect the need for controllers to properly consider ‘data protection by design’ in respect of their data processing activities.
“The decision underlines the importance of reflecting on compliance requirements in the round and from the ground up,” Carney added.
BrandSpur digital news platform reports that as required by Article 60 of the GDPR, the DPC sent a draft decision to the other GDPR enforcement bodies of the EU member states in July 2024 before issuing the final decision. The proposed fine and order were accepted by the other authorities.
In contrast to DPAs in every EU member state, the GDPR’s so-called “one-stop shop” method is intended to enable companies to interact with a single data protection authority (DPA) regarding their operations within the EU.
One DPA can take the lead in looking into cross-border cases thanks to the arrangement. It does, however, mandate that the lead authority communicate with the other DPAs in the nations where the data subjects have been affected. It also provides for those other DPAs to contribute to the investigations and to voice “relevant and reasoned” objections to the lead authority’s proposed decisions. When the lead authority and objecting authorities are unable to agree, the European Data Protection Board (EDPB) has the competence to make legally binding decisions.
Since a large number of major digital companies have their EU headquarters in Ireland, the Irish DPC is frequently in charge of spearheading data protection investigations in the internet industry. However, other national DPAs have frequently contested the DPC’s proposed verdicts, typically because they are overly liberal.
Furthering, Barden had this to say: “The DPC will likely be pleased that there were no objections to its draft decision from other supervisory authorities, after a run of criticism for its decisions in the last few years.”
