LinkedIn received a €310 million fine from the Irish Data Protection Commission for violating European Union’s law related to the processing of personal data for behavioral analysis and targeted advertising.
The penalty follows an inquiry into the lawfulness, fairness, and transparency of LinkedIn’s data processing, which started from a complaint several years ago from French non-profit org La Quadrature Du Net.
According to the Irish data watchdog (DPC), LinkedIn failed to meet the standards for obtaining valid consent, did not rely on legitimate interests or demonstrate contractual necessity in its use of personal data for advertising.
Specifically, the following General Data Protection Regulation (GDPR) violations have been confirmed by the DPC:
- Article 6(1)(a): LinkedIn failed to obtain valid consent for third-party data.
- Article 6(1)(f): LinkedIn’s use of legitimate interests as a legal basis was overridden by users’ rights.
- Article 6(1)(b): LinkedIn’s claim that data processing was contractually necessary was invalid.
- Articles 13(1)(c) and 14(1)(c): LinkedIn failed to provide sufficient information about its processing activities.
- Article 5(1)(a): LinkedIn violated the principle of fairness by processing data in ways users did not fully understand.
LinkedIn is now ordered to bring its data processing and transparency practices into compliance with European Union’s legal requirements, and to pay a fine of €310 million ($335 million).
“The inquiry examined LinkedIn’s processing of personal data for the purposes of behavioral analysis and targeted advertising of users who have created LinkedIn profiles (members),” reads the DPC announcement, adding that “The decision includes a reprimand, an order for LinkedIn to bring its processing into compliance, and administrative fines totaling €310 million.”
The inquiry resulted in the imposition of three administrative fines, Articles 58(2)(i) and 83 GDPR.
DPC will publish its full decision at a later date, containing all details about its findings on LinkedIn’s data practices.
Responding to our request for a comment on DPC’s announcement, a LinkedIn spokesperson told BleepingComputer that they previously thought they were GDPR-compliant but will now focus on amending their advertising systems to better comply with the regulation.
Today, the Irish Data Protection Commission (IDPC) reached a final decision on claims from 2018 about some of our digital advertising efforts in the EU. While we believe we have been in compliance with the General Data Protection Regulation (GDPR), we are working to ensure our ad practices meet this decision by the IDPC’s deadline. – LinkedIn spokesperson