LinkedIn is facing a €310 million ($334 million) fine in the EU after the Irish Data Protection Commission (DPC) determined it had improperly conducted behavioral analyses of its members’ personal data for targeted advertising. This decision argues that LinkedIn violated the GDPR by not obtaining proper consent, demonstrating legitimate interest or showing a contractual necessity to process the data it and third-parties collected.
The DPC also reprimanded LinkedIn and handed down an order for it to collect all data in a compliant manner. “The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subjects’ fundamental right to data protection,” DPC Deputy Commissioner Graham Doyle stated.
The decision stems from a 2018 complaint by the French non-profit organisation, La Quadrature Du Net, and an initial inquiry examining whether LinkedIn processed the personal data of its users lawfully, fairly and transparently. The matter was originally raised with the French Data Protection Authority and then transferred to the DPC as LinkedIn’s European base is Ireland.
A LinkedIn spokesperson shared a statement with Engadget in response to the decision: “Today the Irish Data Protection Commission (IDPC) reached a final decision on claims from 2018 about some of our digital advertising efforts in the EU. While we believe we have been in compliance with the General Data Protection Regulation (GDPR), we are working to ensure our ad practices meet this decision by the IDPC’s deadline.”
Update, October 24 2024, 9:12AM ET: This article has been updated to include a statement from LinkedIn.