Ireland’s Data Protection Commission (DPC) has dished out a significant €310m fine to jobs networking site LinkedIn, as part of a probe into its processing of users’ data for behavioural analysis and targeted advertising.
The data watchdog found multiple breaches of the General Data Protection Regulation (GDPR), which is the EU’s major piece of legislation on data protection and privacy.
In a statement, the DPC described the processing of personal data without the right legal basis as a “clear and serious violation” of a person’s “fundamental right” to data protection.
It said its decision on LinkedIn, which has its European headquarters in Dublin city centre, concerned the lawfulness, fairness and transparency over how it processes its users' data.
It found consent to use third-party data for behavioural analysis and targeted analysis was “not freely given, sufficiently informed or specific, or unambiguous”.
It also did not validly rely on the “contractual necessity” clause of the GDPR to process first-party data for the purpose of behavioural analysis and targeted advertising.
The DPC said behavioural analysis was the entire process where information provided by, inferred from or observed about someone is then used to inform advertisements that are targeted to that individual.
Targeted advertising, meanwhile, is where a person has adverts put in front of them online based on the information a company holds on them, whether they provided it directly, or it was inferred from/observed about them.
The probe first began in 2018 following a complaint by a French non-profit organisation. While the complaint initially came to its French counterpart, it then landed at the desk of the Irish DPC in its role as lead supervisory authority for LinkedIn.
This inquiry examined the lawfulness, fairness and transparency of the processing of the personal data of users of the LinkedIn platform for the purposes of behavioural analysis and targeted advertising.
The personal data in question encompassed data provided directly to LinkedIn by its members and data obtained via its third-party partners relating to its members.
It submitted a draft decision to the GDPR cooperation mechanism in July 2024, which is when a country’s data watchdog liaises with European counterparts before finalising its decision. The DPC said no objections were raised with its draft decision.
Data protection commissioners Dr Des Hogan and Dale Sunderland made the final decision and notified LinkedIn on October 22.
As well as the €310m administrative fine, the DPC ordered LinkedIn to bring its processing of data into compliance, as well as issuing a reprimand.
DPC deputy commissioner Graham Doyle said: “The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subjects’ fundamental right to data protection.”
A LinkedIn spokesperson said: "Today the Irish Data Protection Commission (IDPC) reached a final decision on claims from 2018 about some of our digital advertising efforts in the EU.
"While we believe we have been in compliance with the General Data Protection Regulation (GDPR), we are working to ensure our ad practices meet this decision by the IDPC's deadline."