The Irish Data Protection Commission (DPC) has hit LinkedIn Ireland with a hefty €310 million (KSh 43.28B) fine following an investigation into the company’s handling of user data.
The inquiry, launched after a complaint from the French Data Protection Authority, focused on how LinkedIn processes member data for targeted advertising and behavioral analysis.
According to the DPC, LinkedIn’s data practices violated several key principles of the General Data Protection Regulation (GDPR), the European Union’s data privacy law.
Specifically, the commission determined that:
- Consent for third-party data was invalid. LinkedIn relied on user consent to process data from their connections, but the DPC ruled this consent wasn’t freely given, sufficiently informed, specific, or unambiguous.
- “Legitimate interests” justification wasn’t strong enough. LinkedIn claimed a legitimate business interest in processing both member and non-member data for advertising and analytics. However, the DPC argued that these interests didn’t outweigh the privacy rights of individuals.
- Contractual necessity wasn’t applicable. LinkedIn’s argument that processing data was necessary to fulfill user contracts was also rejected by the DPC.
- Transparency issues. The DPC found that LinkedIn inadequately informed users about the legal basis for processing their data.
- Violation of fairness principle. The DPC concluded that LinkedIn’s data practices were simply unfair to users.
“The lawfulness of processing is fundamental to data protection law,” stated DPC Deputy Commissioner Graham Doyle. “Processing data without a proper legal basis is a serious violation of a user’s right to data privacy.”
The enforcement action stems from a 2018 complaint filed by French digital rights group La Quadrature Du Net, which alleged that LinkedIn’s data collection and use violated the General Data Protection Regulation (GDPR).
In a statement, a LinkedIn spokesperson acknowledged the DPC’s decision and expressed the company’s commitment to compliance.
“While we believe our operations have been in line with GDPR requirements, we respect the DPC’s ruling and will be making adjustments to our advertising practices within the specified timeframe,” the spokesperson said.