The Irish Data Protection Commission (DPC) has issued a final decision against LinkedIn Ireland Unlimited Company, imposing a fine of 310 million euros for violations of the General Data Protection Regulation (GDPR). This ruling marks a significant milestone in overseeing targeted advertising practices and behavioral analysis, raising questions about the legitimacy of the methods employed by LinkedIn to process personal data of its users in the European Union.
The investigation, which began in 2018 following a complaint from the French organization La Quadrature Du Net, examined the legality, transparency, and fairness of LinkedIn’s use of personal data for targeted advertising and behavioral analysis of users with profiles on the platform.
What were the DPC’s findings?
The DPC’s decision, notified to LinkedIn on October 22, 2024, outlines several violations of the GDPR, including:
- Violation of legality in data processing: According to Article 6 of the GDPR, data processing must be based on a valid legal ground. LinkedIn failed to obtain informed, specific, and unambiguous consent to process third-party data for targeted advertising. Furthermore, the company’s legitimate interest could not outweigh the fundamental rights and freedoms of users who, as per the DPC, are impacted by excessive data collection practices.
- Lack of transparency and fairness: The DPC noted that LinkedIn did not adequately inform users about the legal bases justifying the processing of their data, violating Articles 13 and 14 of the GDPR. Additionally, the lack of transparency was seen as undermining users’ autonomy over their personal information.
Fine and corrective measures
The DPC’s resolution imposes three administrative fines on LinkedIn totaling 310 million euros and issues a formal warning. Furthermore, it requires the company to align its data processing practices with the GDPR, which entails making changes to its privacy policy and methods for obtaining consent from its European users.
The DPC’s Deputy Commissioner, Graham Doyle, commented on the decision: “Legality in the processing of personal data is a fundamental aspect of data protection law, and processing such data without an appropriate legal basis constitutes a clear violation of the fundamental rights of data subjects.”
LinkedIn’s response
In a statement released on October 24, 2024, LinkedIn defended its practices, arguing that they were already compliant with the GDPR. However, the company expressed its willingness to implement the necessary changes to comply with the DPC’s decision.
“While we believe our practices are GDPR-compliant, we will work to ensure our advertising efforts meet the timeline set by the DPC,” LinkedIn stated in its public declaration.
Important precedent for privacy in the EU
This ruling serves as a warning to platforms that use user data for behavioral analysis and targeted advertising. By basing its decisions on principles of transparency, fairness, and autonomy, the DPC demonstrates its commitment to protecting the privacy rights of European citizens.