LinkedIn on Tuesday was fined a record 310 million euros ($336 million) and ordered to stop processing third-party data of its members for the purpose of behavioural analysis and targeted advertising without consent, in a major ruling against the social media company for violating European Union data protection rules.
The penalty, announced by Ireland’s Data Protection Commission, is potentially one of the most consequential in the six years since the European Union enacted the landmark data privacy law known as the General Data Protection Regulation (GDPR), which sets guidelines for the collection and processing of personal information from individuals who live in and outside of Europe.
The Irish Data Protection Commission (DPC) said the company, which is headquartered in Sunnyvale, California, in the US, failed to comply with several key provisions in the GDPR, which requires businesses to take additional security measures to protect individuals’ fundamental rights and freedoms, particularly their right to protection of their personal data.
> Technology Transforming Learning in Kenyan Universities
The DPC’s final decision records the following findings of infringement of the GDPR by LinkedIn:
1. Article 6 and Article 5(1)(a) GDPR — LinkedIn’s processing of personal data lacked lawful basis:
* LinkedIn did not validly rely on Article 6(1)(a) GDPR (consent) for processing third-party data, as the consent obtained was not freely given, sufficiently informed, specific, or unambiguous.
* LinkedIn’s reliance on Article 6(1)(f) GDPR (legitimate interests) for processing members’ first-party data and third-party data for analytics was invalid, as LinkedIn’s interests were overridden by the data subjects’ rights and freedoms.
* LinkedIn could not validly rely on Article 6(1)(b) GDPR (contractual necessity) for processing first-party data for behavioural analysis and targeted advertising.
2. Articles 13(1)(c) and 14(1)(c) GDPR — LinkedIn’s information to data subjects regarding its lawful processing bases under Articles 6(1)(a), 6(1)(b), and 6(1)(f) was found insufficient.
3. Article 5(1)(a) GDPR — LinkedIn failed to uphold the principle of fairness in its data processing.
This decision, issued by Commissioners Dr Des Hogan and Dale Sunderland, originated from a 2018 investigation following a complaint by the French non-profit La Quadrature Du Net, initially submitted to France’s watchdog Commission Nationale Informatique & Libertés (CNIL), which then referred the case to the Irish DPC as the supervisory authority for GDPR enforcement.
DPC Deputy Commissioner Graham Doyle remarked, “The lawfulness of processing is a fundamental aspect of data protection law, and processing personal data without an appropriate legal basis is a clear and serious violation of a data subject’s right to data protection,” after the ruling which now requires LinkedIn to align its data processing with GDPR standards and pay the €310 million fine.
Since the European data privacy law entered into application on May 25, 2018, few penalties have been announced. In June of that year, CNIL imposed a 50 million euro fine on Google over the company’s opaque privacy policy and lack of legal basis for personalized ads.
Similarly, in 2022, the Irish regulators fined Meta, previously called Facebook, 225 million euros (about $235 million) for similar violations related to its messaging service WhatsApp and recently, in August 2024, the Dutch Data Protection Authority imposed a 290 million euro ($324 million) fine on the ride-hailing service Uber for not properly disclosing how personal data of European drivers across its services was collected and transferred to the United States.
The threat of hefty fines is intended to encourage companies to enhance cybersecurity measures and adopt more responsible practices regarding user data collection and storage.
Leave a comment