LinkedIn Fined €310 Million for Misusing Personal Data
Ireland’s Data Protection Commission (DPC) has imposed a €310 million fine on LinkedIn for misusing personal data in behavioral analysis and targeted advertising. This ruling stems from a complaint made by La Quadrature Du Net, a privacy non-profit, to the French data protection authority in 2018. The DPC, acting as the lead supervisory authority for LinkedIn, found that the company processed personal data without a valid legal basis, which included both first-party data from its members and data sourced from third-party partners.
According to the DPC, LinkedIn failed to meet the necessary conditions for processing personal data, which include obtaining informed consent, ensuring fairness, and maintaining transparency. The regulator determined that LinkedIn’s consent was not freely given, sufficiently informed, or specific and unambiguous. Additionally, the DPC ruled that LinkedIn could not rely on the legitimate interests argument, as the fundamental rights and freedoms of users take precedence over the company’s interests.
The DPC emphasized that lawful processing is a critical aspect of data protection law. Graham Doyle, the DPC’s deputy commissioner, stated that processing personal data without an appropriate legal basis constitutes a serious violation of an individual’s right to data protection. As part of the ruling, LinkedIn has been ordered to align its practices with the General Data Protection Regulation (GDPR) and has accepted the findings, stating its commitment to compliance.
While the fine is significantly smaller than the €1.55 billion penalty imposed on Meta last year, it remains one of the largest fines levied against a tech company by the DPC for GDPR breaches. Experts, including Javvad Malik from KnowBe4, have noted the importance of this ruling, highlighting the need for organizations to reassess their data governance frameworks and prioritize user-centric models in advertising practices.
