The Irish Data Protection Commission (DPC) recently announced its decision to fine LinkedIn Ireland Unlimited Company €310 million for violations of the General Data Protection Regulation (GDPR). This decision followed an inquiry into LinkedIn’s practices regarding the processing of personal data for behavioral analysis and targeted advertising of its users. The DPC’s decision came after a complaint was initially lodged with the French Data Protection Authority and then forwarded to the DPC, the lead supervisory authority for LinkedIn in the European Union.
Investigation Into Behavioral Targeting Practices
The inquiry centered on LinkedIn’s use of personal data to analyze user behavior and deliver targeted ads. Regulators examined whether these practices met GDPR’s strict rules on lawfulness, fairness, and transparency. According to the DPC, they did not. Investigators concluded that LinkedIn violated Articles 6 and 5(1)(a) of the GDPR. These provisions require companies to process personal data in ways that are lawful, fair, and transparent. The DPC found that LinkedIn relied on consent, legitimate interests, and contractual necessity as legal bases for its data processing — but none met GDPR standards.
Invalid Consent and Unlawful Legal Bases
The DPC ruled that LinkedIn failed to obtain valid consent for behavioral analysis. The consent was not freely given or specific enough to satisfy GDPR requirements. The Commission also rejected LinkedIn’s argument that processing was necessary for a contract under Article 6(1)(b). Furthermore, LinkedIn’s claim of legitimate interests under Article 6(1)(f) did not hold. The DPC stated that LinkedIn’s interests did not outweigh the fundamental rights of users. This applied to both first-party data and third-party data that LinkedIn received from partners.
Failures in Transparency and Fairness
The DPC also found that LinkedIn failed to meet its transparency obligations under Articles 13 and 14. Users were not given clear information about how their data was processed or the legal bases for the processing. Regulators noted a breach of the fairness principle as well. The ruling states that LinkedIn’s practices could mislead users and limit their ability to control their personal data, which undermines their autonomy.
Three Fines Totaling €310 Million
Based on these findings, the DPC imposed three separate administrative fines that together total €310 million. The decision includes a formal reprimand and an order requiring LinkedIn to bring its practices into full GDPR compliance. Deputy Commissioner Graham Doyle emphasized the seriousness of the violations, noting that processing personal data without a lawful basis represents a significant breach of fundamental rights. The case stems from a 2018 complaint filed by French digital rights group La Quadrature du Net. Because LinkedIn’s EU operations are based in Ireland, the French authority referred the matter to the DPC.
Need Help?
With every day comes a new AI regulation or bill. You might have questions and concerns about how it will impact you. Don’t hesitate to reach out to BABL AI. Their Audit Experts are ready to provide valuable assistance.
