LinkedIn is at risk of incurring a substantial fine of €310 million ($334 million) from the European Union following a ruling by the Irish Data Protection Commission (DPC). The DPC concluded that LinkedIn had inappropriately used its members’ personal data for targeted advertising through behavioral analysis without proper consent, which is a breach of the General Data Protection Regulation (GDPR).
The GDPR mandates clear consent, legitimate interest, or contractual necessity for the processing of personal data, and LinkedIn’s actions, along with those of its third-party partners, failed to comply with these requirements.
The DPC issued a stern reprimand to LinkedIn along with an order to ensure all data collection practices are aligned with GDPR standards. DPC Deputy Commissioner Graham Doyle emphasized the severity of the infringement, noting that lawful data processing is a cornerstone of data protection law and that any processing without a valid legal basis constitutes a significant infringement of individuals’ fundamental rights to data protection.
This enforcement action originates from a complaint lodged in 2018 by La Quadrature Du Net, a French advocacy group, which prompted an investigation into whether LinkedIn’s data processing activities were lawful, fair, and transparent. The case was initially brought to the attention of the French Data Protection Authority but was later transferred to the DPC, given that LinkedIn’s European headquarters is located in Ireland.
In response to the DPC’s decision, a LinkedIn spokesperson issued a statement acknowledging the final decision on the 2018 claims regarding the company’s digital advertising practices within the EU. The spokesperson expressed LinkedIn’s belief that their operations were in line with GDPR standards but also affirmed the company’s commitment to adjusting its advertising practices to comply with the DPC’s ruling within the specified timeframe.