The Irish Data Protection Commission (DPC) has issued a €310m ($336m) fine to LinkedIn Ireland Unlimited Company over violation of the EU’s General Data Protection Regulation (GDPR) in relation to the firm’s advertising practices.
This decision came after a complaint initially made in August 2018 by a French non-profit organization, La Quadrature Du Net, to the French data protection authority (CNIL).
This initial complaint prompted an inquiry to decide on the lawfulness, fairness and transparency of the processing of the personal data of users of the LinkedIn platform for the purposes of behavioral analysis and targeted advertising.
The personal data in question encompassed data provided directly to LinkedIn by its members and data obtained via its third-party partners relating to its members.
The inquiry concluded that LinkedIn was infringing Articles 5, 6, 13 and 14 of GDPR, which include:
- The need to request formal consent from users to process third-party data
- The need to ensure legitimate interest for its processing of first-party personal data of its members
- The need to ensure users’ personal data is collected following a principle of fairness
Acting as the lead supervisory authority for LinkedIn in the EU, the DPC submitted a draft decision to the GDPR cooperation mechanism in July 2024, which has now been validated.
The DPC’s decision includes three administrative fines totaling €310m, a reprimand and an order for LinkedIn to bring its processing into compliance.
LinkedIn issued a short statement acknowledging the DPC’s decision, but did not say whether it would be challenging the fine.
“Today the Irish DPC reached a final decision on claims from 2018 about some of our digital advertising efforts in the EU. While we believe we have been in compliance with the GDPR, we are working to ensure our ad practices meet this decision by the DPC's deadline,” the company stated.
Read more: Data Protection Regulators Cracking Down on Privacy Violations