Irish Data Protection Commission penalizes LinkedIn for unlawful processing of personal data and targeted advertising practices.
By Luís Rijo, on October 24, 2024 4:22 PMThe Irish Data Protection Commission (DPC) imposed a €310 million fine on LinkedIn Ireland on October 24, 2024, following an investigation into the company's data processing practices. The inquiry, which began after a complaint from a French non-profit organization, revealed multiple violations of the General Data Protection Regulation (GDPR) regarding behavioral analysis and targeted advertising of LinkedIn members' personal data.
The investigation commenced on August 20, 2018, following a complaint by La Quadrature Du Net to the French Data Protection Authority. The complaint was subsequently transferred to the Irish DPC, which serves as LinkedIn's lead supervisory authority in the European Union. The investigation focused on examining the lawfulness, fairness, and transparency of LinkedIn's processing of both first-party and third-party personal data of its members.
According to the DPC's findings, LinkedIn violated multiple GDPR articles:
- Article 6 and Article 5(1)(a) violations:
- LinkedIn failed to obtain valid consent for processing third-party data
- The company inappropriately relied on legitimate interests for processing first-party personal data
- The platform incorrectly cited contractual necessity for processing member data
- Articles 13(1)(c) and 14(1)(c) violations regarding information provided to users about legal bases for data processing
- Article 5(1)(a) violation concerning the principle of fairness in data processing
The DPC submitted its draft decision through the GDPR cooperation mechanism in July 2024. No objections were raised by other EU/EEA supervisory authorities. The final decision, issued by Commissioners Dr Des Hogan and Dale Sunderland, was notified to LinkedIn on October 22, 2024.
The DPC implemented three primary corrective measures:
- A formal reprimand
- Administrative fines totaling €310 million
- An order requiring LinkedIn to bring its processing operations into GDPR compliance
According to LinkedIn's corporate communications statement released on October 24, 2024, the company maintains its belief in GDPR compliance but commits to adjusting its advertising practices to meet the IDPC's requirements within the specified deadline. The statement addresses claims dating back to 2018 regarding the platform's digital advertising efforts in the EU.
Key Facts
- Date of Final Decision: October 24, 2024
- Investigation Start Date: August 20, 2018
- Total Fine Amount: €310 million
- Initial Complaint Source: La Quadrature Du Net (French non-profit)
- Lead Authority: Irish Data Protection Commission
- Commissioners: Dr Des Hogan and Dale Sunderland