The Irish Data Protection Commissioner (DPC) has imposed a fine of €310 million on LinkedIn, for lack of transparency and violation of data protection policy.
This follows an investigation into the platform’s handling of personal data, specifically concerning its methods for behavioural analysis and targeted advertising.
The inquiry, prompted by a complaint from the French Data Protection Authority, concluded that LinkedIn had failed to comply with provisions of the General Data Protection Regulation (GDPR).
Notably, the DPC identified serious violations regarding the legality, fairness, and transparency of how LinkedIn processed user data.
Key findings revealed that LinkedIn did not secure valid consent from users for the utilisation of their personal data in targeted advertising, breaching Article 6(1)(a) of the GDPR.
The consent that was acquired was deemed neither freely given nor sufficiently informed, infringing on the fundamental rights of the platform’s users. Furthermore, the DPC also noted that LinkedIn misrepresented its use of user data under the guise of legitimate interests, as outlined in Article 6(1)(f) of the GDPR.
In this case, the company’s interests were found to be overridden by the rights of its users, thereby rendering the processing unlawful.
In its assessment, the DPC also determined that LinkedIn wrongly relied on Article 6(1)(b) of the GDPR, which pertains to contractual necessity, to justify its data processing for behavioural analysis—asserting this was not essential for fulfilling user agreements.
Added to these, LinkedIn failed to provide users with clear information regarding the legal bases upon which it relied for processing their data, violating Articles 13(1)(c) and 14(1)(c) of the GDPR.
Graham Doyle, deputy commissioner of the DPC, stressed the importance of lawful data processing in protecting user rights. He stated, “The lawfulness of processing is a fundamental aspect of data protection law, and processing personal data without an appropriate legal basis is a clear and serious violation of a data subject’s fundamental right to data protection.”
In light of the ruling, LinkedIn has been directed to reform its data processing methods to align with GDPR requirements.