Irish DPC issues €310m fine to LinkedIn Ireland

24 Oct 2024

Image: © Sundry Photography/Stock.adobe.com

The DPC investigation began in 2018 after a complaint was issued by a French non-profit organisation.

The Irish Data Protection Commission (DPC) has today (24 October) announced its decision to fine LinkedIn Ireland €310m after an inquiry into the company’s data processing practices.

The inquiry, which examined LinkedIn’s processing of its users’ personal data for the purposes of behavioural analysis and targeted advertising, was launched by the DPC in August 2018 after an initial complaint was made to the French Data Protection Authority.

The initial complaint was made by French non-profit organisation, La Quadrature Du Net, and was then passed onto the DPC due to its role as the lead supervisory authority for LinkedIn, which is owned by Microsoft.

Behavioural analysis is the process where information is gathered about an individual to inform advertisements that are specifically targeted to that individual.

The DPC investigation found that LinkedIn’s data processing practices infringed on multiple articles of the General Data Protection Regulation (GDPR), including a determination that third-party data processing consent obtained by LinkedIn for analysis and targeted advertising purposes had not been freely given, sufficiently informed or specific, or unambiguous.

The DPC also found that LinkedIn’s processing of first-party personal data for behavioural analysis and targeted advertising, along with third-party data for analytics, was unlawful because “LinkedIn’s interests were overridden by the interests and fundamental rights and freedoms of data subjects”.

Along with the €310m fine, the DPC’s decision includes a reprimand for LinkedIn Ireland as well as an order for LinkedIn to bring its processing into compliance.

The decision, which was made by commissioners for Data Protection Dr Des Hogan and Dale Sunderland, was notified to LinkedIn on 22 October after a draft decision faced no objections by the GDPR cooperation mechanism in July of this year.

“The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subjects’ fundamental right to data protection,” said DPC deputy commissioner Graham Doyle about today’s decision.

Last year, Microsoft told investors that the DPC was intending on imposing a fine of nearly €400m on LinkedIn for its targeted ad practices, after receiving a non-public draft decision from the authority. At the time, Microsoft declared its intention to dispute the decision.

“Today the Irish Data Protection Commission (IDPC) reached a final decision on claims from 2018 about some of our digital advertising efforts in the EU,” said a spokesperson from LinkedIn about today’s decision. “While we believe we have been in compliance with the General Data Protection Regulation (GDPR), we are working to ensure our ad practices meet this decision by the IDPC’s deadline.”

Earlier this year, the DPC brought legal action against social media platform X for its data processing practices over concerns about its use in training X’s AI model Grok. This legal action ultimately concluded after X agreed to suspend its processing of the personal data of its EU and EEA users on a permanent basis.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Colin Ryan is a copywriter/copyeditor at Silicon Republic

editorial@siliconrepublic.com