The Irish Data Protection Commission (DPC) has fined LinkedIn Ireland Unlimited Company £258 million ($334.8 million) following a detailed inquiry into the company’s data processing practices.
The inquiry was launched after a complaint by the French Data Protection Authority and focused on LinkedIn’s use of personal data for behavioural analysis and targeted advertising.
The decision, finalised by Commissioners Dr Des Hogan and Dale Sunderland, was notified to LinkedIn on 22 October 2024. The DPC found LinkedIn in breach of multiple provisions of the General Data Protection Regulation (GDPR), specifically relating to the lawfulness, fairness, and transparency of its data processing activities. As a result, LinkedIn has been ordered to bring its operations into compliance with the GDPR, alongside the issuance of a reprimand and substantial fines.
The inquiry assessed LinkedIn’s reliance on several legal bases under Article 6 of the GDPR, including consent, legitimate interests, and contractual necessity. However, the DPC determined that the consent obtained by LinkedIn was neither freely given nor sufficiently informed.
The company’s reliance on legitimate interests was also found to be overridden by the rights and freedoms of its users. The inquiry also concluded that LinkedIn’s processing for behavioural analysis and targeted advertising failed to meet the contractual necessity standard.
“The lawfulness of processing is a fundamental aspect of data protection law, and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subject’s fundamental right to data protection,” said Graham Doyle, Deputy Commissioner at the DPC.
The decision comes after the DPC submitted a draft decision in July 2024, which was met with no objections from its European counterparts under the GDPR cooperation mechanism. The DPC said this ruling underscores the importance of fair, transparent, and lawful processing of personal data, particularly in the context of targeted advertising practices. LinkedIn has been instructed to ensure its future operations comply with the data protection standards outlined in the GDPR.
Lead Security Awareness Advocate at KnowBe4, Javvad Malik, said it was good to see regulators actively enforcing and standing up for user rights.
“It does serve as a reminder that relying on ‘legitimate interests’ as a legal basis is a risky strategy and can lead to significant penalties and reputational damage … For other organisations, it should be a reminder of the importance of building robust data governance frameworks that not only comply with current legislation, but support a culture of security across the organisation to enable it to adapt to evolving needs,” added Malik.
The DPC said the full decision will be published in due course, along with further details and related information.
https://www.techerati.com/news-hub/linkedin-fined-258m-over-gdpr-breach/