The Irish Data Protection Commission (DPC) has levied a €310 million fine on LinkedIn Ireland Unlimited Company (LinkedIn) after completing an inquiry into the company’s handling of user data.
This investigation, which was initiated following a complaint lodged by the French non-profit organization La Quadrature Du Net with the French Data Protection Authority (CNIL), examined how LinkedIn processed personal data for purposes of behavioural analysis and targeted advertising. LinkedIn, under scrutiny for potentially violating the General Data Protection Regulation (GDPR), has been ordered to overhaul its data processing practices.
The decision, issued on 22 October 2024, marks the conclusion of the DPC’s inquiry, with Commissioner Des Hogan and Deputy Commissioner Dale Sunderland overseeing the ruling. The inquiry focused on whether LinkedIn had followed the principles of lawfulness, fairness, and transparency in processing data for advertising and analytics.
The investigation conducted by the DPC uncovered multiple violations of the GDPR, particularly concerning the company’s dependence on different legal bases for data processing. These included the use of consent, legitimate interests, and contractual necessity, all of which the DPC found to be inadequate under the regulation.
Inadequate Consent (Article 6(1)(a) GDPR): LinkedIn’s attempt to use consent as the legal basis for processing third-party data for targeted advertising was deemed invalid. The DPC found that the consent obtained by LinkedIn was not sufficiently informed, specific, or unambiguous. The company failed to meet the GDPR’s high standards for consent, which should be freely given, specific, and informed.
Improper Use of Legitimate Interests (Article 6(1)(f) GDPR): LinkedIn also attempted to justify its processing of personal data on the basis of legitimate interests. The DPC concluded that the fundamental rights and freedoms of users took precedence over LinkedIn’s business interests. GDPR requires that legitimate interests should not override the privacy rights of individuals, and the DPC found LinkedIn’s processing to violate this principle.
Lack of Contractual Necessity (Article 6(1)(b) GDPR): The DPC found that LinkedIn wrongly relied on contractual necessity to process data for advertising purposes. The regulation allows for processing based on the necessity of fulfilling a contract, but the DPC concluded that such processing was not necessary for the provision of LinkedIn’s services.
Failure to Provide Clear Information to Data Subjects (Articles 13(1)(c) and 14(1)(c) GDPR): LinkedIn failed to transparently inform its users about how their data was being processed and the legal bases for such processing. The GDPR mandates that data subjects must be made fully aware of how their personal data is used, but LinkedIn’s disclosures were found to be insufficient and misleading.
Violation of the Fairness Principle (Article 5(1)(a) GDPR): The DPC also found that LinkedIn’s practices did not adhere to the fairness principle set out in the GDPR. This principle ensures that personal data is processed in a manner that does not disadvantage or deceive the data subjects. LinkedIn’s practices were deemed to have breached this fundamental right.
As a result of these findings, the DPC has taken several corrective actions under the GDPR:
Reprimand: LinkedIn has been issued a formal reprimand as stipulated under Article 58(2)(b) of the GDPR. This reprimand serves as a formal notice of the company’s non-compliance and emphasizes the severity of its violations.
€310 Million Fine: The DPC has imposed a total fine of €310 million, as permitted under Articles 58(2)(i) and 83 of the GDPR. This fine reflects the serious nature of the infringements and serves as a deterrent against future violations.
Compliance Order: LinkedIn has been ordered to bring its data processing practices into full compliance with the GDPR. This includes ensuring that all data processing activities are conducted on a valid legal basis and that users are provided with clear, transparent information regarding how their data is used.
