This decision follows an extensive inquiry into LinkedIn's data processing practices, particularly concerning the use of personal data for behavioural analysis and targeted advertising.
The complaint against LinkedIn was initially lodged by the French digital rights non-profit organization La Quadrature Du Net in 2018. The complaint was first reported to the French Data Protection Authority, which then passed it to the Irish Data Protection Commission (DPC) since LinkedIn's European headquarters are located in Ireland. The inquiry scrutinised LinkedIn's compliance with the General Data Protection Regulation (GDPR), focusing on the lawfulness, fairness, and transparency of its data processing activities.
In addition to the hefty fine, the DPC issued a reprimand and mandated LinkedIn to bring its data processing practices into compliance with GDPR requirements.
DPC Deputy Commissioner Graham Doyle commented:
“The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subject's fundamental right to data protection.” The DPC will publish the full decision and further related information in due
LinkedIn's behavioral analysis involved processing personal data to create detailed profiles of its users for targeted advertising. This process included analysing users' activities, interactions, and preferences on the platform to deliver personalised ads.
Insufficient Consent: LinkedIn's method of obtaining user consent for data processing was found to be inadequate. The consent was not freely given, specific, informed, or unambiguous, as required by GDPR Article 6(1)(a).
Legitimate Interests: LinkedIn claimed that it had a legitimate interest in processing user data for advertising purposes. However, the Irish Data Protection Commission (DPC) determined that the users' rights and freedoms outweighed LinkedIn's interests, especially given the intrusive nature of behavioral profiling.
Contractual Necessity: LinkedIn also argued that processing personal data for behavioral analysis was necessary to fulfill its contractual obligations to users. The DPC rejected this argument, stating that such processing was not essential to the core functionality of LinkedIn's services.
LinkedIn has indicated that it will adjust its data processing practices to align with the DPC’s requirements, despite disputing the decision.
"While we believe we have been in compliance with the GDPR, we are working to ensure our ad practices meet this decision by the DPC's deadline"².
linkedIn fine October 24, 2024 DPC infographic
References
(1) Irish Data Protection Commission fines LinkedIn Ireland €310 million. https://www.dataprotection.ie/en/news-media/press-releases/irish-data-protection-commission-fines-linkedin-ireland-eu310-million.
(2) Irish data watchdog fines LinkedIn €310m - RTÉ. https://www.rte.ie/news/business/2024/1024/1477224-linkedin-fined-by-dpc/.
(3) Irish DPC issues €310m fine to LinkedIn Ireland. https://www.siliconrepublic.com/business/dpc-linkedin-ireland-data-gdpr.
(4) EU fines LinkedIn $334 million for violating the GDPR - Engadget. https://www.engadget.com/big-tech/eu-fines-linkedin-334-million-for-violating-the-gdpr-123053773.html.
(5) Linkedin must pay a fine of 310 million euros - heise online. https://www.heise.de/en/news/Linkedin-must-pay-a-fine-of-310-million-euros-9992950.html.
(6) LinkedIn faces massive fine for violating GDPR | Windows Central. https://www.windowscentral.com/microsoft/processing-of-personal-data-without-an-appropriate-legal-basis-is-a-clear-and-serious-violation-says-eu-as-it-fines-linkedin-usd334-million-for-violating-gdpr.
Source: Conversation with Copilot, 25/10/2024
(7) LinkedIn fined $335 million in EU for tracking ads privacy breaches. https://techcrunch.com/2024/10/24/linkedin-fined-356-million-in-eu-for-tracking-ads-privacy-breaches/.
(8) LinkedIn stung with $334 million fine by EU over GDPR violations. https://www.phonearena.com/news/linkedin-334-million-fine-eu-gdpr-violations_id164121.
(9) LinkedIn Fined $335 Million By Irish Data Protection Commission For GDPR Violations In Ad Tracking Practices. https://www.msn.com/en-in/news/other/linkedin-fined-335-million-by-irish-data-protection-commission-for-gdpr-violations-in-ad-tracking-practices/ar-AA1sRijr.
(10) LinkedIn's €310 Million GDPR Fine: What It Means for Data Privacy .... https://www.compliancehub.wiki/linkedins-eu310-million-gdpr-fine-what-it-means-for-data-privacy-compliance/.
(11) LinkedIn faces massive fine for violating GDPR | Windows Central. https://www.windowscentral.com/microsoft/processing-of-personal-data-without-an-appropriate-legal-basis-is-a-clear-and-serious-violation-says-eu-as-it-fines-linkedin-usd334-million-for-violating-gdpr.
(12) EU fines LinkedIn $334 million for violating the GDPR - Engadget. https://bing.com/search?q=LinkedIn+behavioral+analysis+GDPR+issue.
(13) EU fines LinkedIn $334 million for violating the GDPR - Engadget. https://www.engadget.com/big-tech/eu-fines-linkedin-334-million-for-violating-the-gdpr-123053773.html.
If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:
By email:
secretary@iisf.ie
By post:
David Cahill
Information Security
GPO, 1-117
D01 F5P2
Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland
Invitations for Annual Sponsorship of IISF has now reopened.
Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more