· News · 3 min read
LinkedIn Fined €310 Million for Violating GDPR
October 2024 - The Irish Data Protection Commission has fined LinkedIn Ireland €310 million for breaching GDPR.
In a landmark decision, the Irish Data Protection Commission (DPC) has fined LinkedIn Ireland €310 million for breaching the General Data Protection Regulation (GDPR). This hefty penalty underscores the seriousness of data privacy violations and serves as a stark reminder for businesses to prioritize user rights.
The Inquiry
The DPC launched an inquiry into LinkedIn’s data practices in response to a 2018 complaint filed by the French digital rights organization, La Quadrature du Net. The inquiry focused on how LinkedIn processed personal data for behavioral analysis and targeted advertising.
Key Findings of the DPC
The DPC’s investigation revealed that LinkedIn failed to comply with several key aspects of the GDPR:
- Unlawful Data Processing: LinkedIn did not have a valid legal basis for processing user data for targeted advertising. The DPC found that the company’s reliance on consent, legitimate interests, and contractual necessity was invalid.
- Lack of Transparency: LinkedIn failed to adequately inform users about how their data was being used for behavioral analysis and targeted advertising.
- Unfair Data Practices: The DPC concluded that LinkedIn’s data processing activities were unfair and violated the principle of transparency. Consequences for LinkedIn
In addition to the €310 million fine, LinkedIn has been formally reprimanded and ordered to bring its data processing activities into compliance with the GDPR.
Key Takeaways for Businesses
The LinkedIn case highlights several crucial lessons for businesses:
- Valid Legal Basis: Ensure you have a valid legal basis for processing personal data, such as explicit consent, contractual necessity, or legitimate interests.
- Transparency is Paramount: Be transparent with users about how their data is being collected, used, and shared. Provide clear and concise privacy notices.
- Data Protection by Design: Implement data protection principles from the outset, embedding them into your products, services, and processes. Respect User Rights: Ensure users can exercise their rights under the GDPR, including the right to access, rectify, and erase their data.
Specifics of the DPC’s Findings
The DPC’s final decision records the following findings of infringement of the GDPR:
- Article 6 GDPR and Article 5(1)(a) GDPR, insofar as it requires the processing of personal data to be lawful, as LinkedIn:
- Did not validly rely on Article 6(1)(a) GDPR (consent) to process third party data of its members for the purpose of behavioural analysis and targeted advertising on the basis that the consent obtained by LinkedIn was not freely given, sufficiently informed or specific, or unambiguous
- Did not validly rely on Article 6(1)(f) GDPR (legitimate interests) for its processing of first party personal data of its members for behavioural analysis and targeted advertising, or third party data for analytics, as LinkedIn’s interests were overridden by the interests and fundamental rights and freedoms of data subjects.
- Did not validly rely on Article 6(1)(b) GDPR (contractual necessity) to process first party data of its members for the purpose of behavioural analysis and targeted advertising.
- Articles 13(1)(c) and 14(1)(c) GDPR, in respect of the information LinkedIn provided to data subjects regarding its reliance on Article 6(1)(a), Article 6(1)(b) and Article 6(1)(f) GDPR as lawful bases.
- Article 5(1)(a) GDPR, the principle of fairness.
— Source: Data Protection Comission Press Release
The Future of Data Privacy
This landmark decision signals a shift towards stricter enforcement of data privacy regulations. Businesses must prioritize user rights and ensure compliance with the GDPR to avoid hefty fines and reputational damage.