The Irish Data Protection Commission (DPC) has fined LinkedIn €310 million after an investigation into the platform’s use of personal data for behavioral analysis and targeted advertising. The inquiry, led by the DPC under the General Data Protection Regulation (GDPR), was triggered by a complaint from the French Data Protection Authority.
The decision, finalized on October 22, 2024, by Data Protection Commissioners Dr. Des Hogan and Dale Sunderland, cites LinkedIn for serious violations of GDPR, particularly regarding the transparency, fairness, and legality of its data processing practices. LinkedIn has been ordered to update its data management processes to meet GDPR requirements.
GDPR Violations
The DPC found LinkedIn violated Article 6(1)(a) of GDPR by failing to obtain valid consent from users for the use of their personal data for behavioral analysis and advertising. The consent provided by users was determined to be neither freely given nor sufficiently informed. LinkedIn also violated Article 6(1)(f) by unlawfully processing user data under the pretext of legitimate interest, which the DPC ruled was overridden by the fundamental rights of the users.
Additionally, the platform was found to have improperly relied on Article 6(1)(b), claiming that data processing for behavioral analysis was contractually necessary, a justification the DPC rejected. LinkedIn also breached Articles 13(1)(c) and 14(1)(c) by failing to clearly inform users about the legal grounds for its data processing activities.
DPC’s Stand on Data Protection
Graham Doyle, Deputy Commissioner of the DPC, emphasized the importance of following lawful data processing practices, stating, “The lawfulness of data processing is central to safeguarding the fundamental rights of individuals, and processing personal data without a valid legal basis is a significant breach.”
International Regulatory Actions
This ruling is part of a broader trend of global regulatory scrutiny. In July, Nigeria’s Federal Competition and Consumer Protection Commission (FCCPC) and the Nigeria Data Protection Commission (NDPC) fined Meta Platforms $220 million for violations, including unauthorized transfer of Nigerian users’ data and discrimination in data handling practices.