ThinkTank_Logo_black
The wait is over
Ailance™ ThinkTank is here!

GDPR fine: LinkedIn fined 310 million euros

The Irish Data Protection Commission (DPC) has imposed a fine of 310 million euros on the business network LinkedIn.
Categories:

The Irish Data Protection Commission (DPC) has imposed a fine of 310 million euros on the Microsoft-owned business network LinkedIn. The subject of the investigation was the processing of personal data of LinkedIn users for behavioral analysis and targeted advertising. What other companies can learn from the fine.

CNIL forwards LinkedIn complaint to DPC

The DPC's investigation was initiated on 20 August 2018 following a complaint from the French non-profit organization La Quadrature Du Net. The complaint was first submitted to the French data protection authority CNIL and then forwarded to the DPC in its role as the lead supervisory authority for LinkedIn.

According to the DPC, the investigation concerned "the lawfulness, fairness and transparency of the processing of personal data of users of the LinkedIn platform for the purposes of behavioral analysis and targeted advertising". The DPC found that the personal data in question was data provided directly to LinkedIn by its members (first-party data) and data collected by LinkedIn through its third-party partners in relation to its members (third-party data).

Lack of consent from LinkedIn users

In its decision of October 22, 2024, the DPC found several violations of the GDPR:

  • Art. 6 and Art. 5 para. 1 lit. a GDPR: LinkedIn was unable to demonstrate a valid legal basis for processing member data for the purposes of behavioral analysis and targeted advertising. Specifically, the DPC found that
    • The consent was invalid because the consent obtained by LinkedIn was not voluntary, not sufficiently informed or not specific and unambiguous (Article 6(1)(a) GDPR).
    • LinkedIn could also not effectively rely on Article 6(1)(f) GDPR (legitimate interest) to process personal data of its members for behavioral analysis and targeted advertising or third-party data for analysis. The interests and fundamental rights and freedoms of the data subjects outweigh the interests of LinkedIn.
  • LinkedIn was also unable to invoke the necessity for the performance of the contract (Article 6(1)(b) GDPR), as the data processing was not necessary for behavioral analysis and advertising.
  • LinkedIn also did not provide sufficient information on the legal bases used, which violates the transparency requirements of the GDPR, Articles 13(1)(c) and 14(1)(c) GDPR.
  • Article 5(1)(a) GDPR - Violation of the principle of fairness: The DPC found that LinkedIn's data processing violated the principle of fairness, as the practices restricted users' trust and freedom of choice with regard to their personal data.

Reading tip: EDPB publishes guidelines on legitimate interest

DPC measures and sanctions against LinkedIn

In response to these violations, the DPC implemented various measures:

  1. A complaint against LinkedIn pursuant to Article 58(2)(b) GDPR.
  2. Three administrative fines totaling 310 million euros pursuant to Article 58 (2) (i) and Article 83 GDPR.
  3. An order to bring data processing into compliance with the GDPR, in accordance with Article 58(2)(d) GDPR.

What companies can learn from the LinkedIn decision

This decision highlights the enormous risks for companies that process personal data without an appropriate legal basis. The consequences include not only financial sanctions, but also lasting reputational damage. Various lessons and obligations arise for companies from this decision:

  • Increased compliance measures:
    Companies must ensure that they can prove that they have a valid legal basis for processing personal data and that consent, if used, meets the strict requirements of the GDPR.
  • Clarity and transparency:
    Companies are obliged to communicate their data processing practices clearly and comprehensibly so that users are informed about the purpose and consequences of data processing and can exercise their rights.
  • Fairness and user rights:
    Companies must not only ensure the legal basis of their data processing, but also guarantee fairness and the protection of the rights of data subjects.
  • Risk of sanctions:
    The decision shows that violations of the GDPR can not only have legal consequences, but can also entail considerable financial risks.

Compliance with the principles of fairness, transparency and lawfulness in data processing is not only a legal requirement, but also a key factor in maintaining user trust. Companies should therefore regularly review their data processing processes and ensure that they comply with the strict requirements of the GDPR in order to minimize legal risks and protect the rights of their users.

Source: Irish Data Protection Commission fines LinkedIn Ireland €310 million

Would you like to carry out a GDPR risk assessment for your company? Get in touch with us, we will be happy to advise you.

Tags:
Share this post :
en_USEnglish