Data Protection Body Hit LinkedIn Ireland With €310m Fine

LinkedIn Ireland has been fined 310 million euro by the Data Protection Commission in relation to the processing of personal data for behavioural analysis and targeted advertising of users.

It followed a complaint initially made by the French Data Protection Authority in 2018. LinkedIn says, while it believes it has been in compliance with GDPR, it is working to ensure its ad practices meet this decision by the commissioner's deadline.

This inquiry was launched by the DPC, following a complaint initially made to the French Data Protection Authority.

The decision, which was made by the Commissioners and notified to LinkedIn concerns the lawfulness, fairness and transparency of this processing.

The decision includes a reprimand, an order for LinkedIn to bring its processing into compliance, and administrative fines totalling €310 million.

The DPC submitted a draft decision to the GDPR cooperation mechanism in July 2024, as required under Article 60 of the GDPR^[3]. No objections to the DPC’s draft decision were raised. The DPC is grateful for the cooperation and assistance of its peer EU/EEA supervisory authorities in this case.

The DPC’s final decision records the following findings of infringement of the GDPR:

1. Article 6 GDPR and Article 5(1)(a) GDPR, insofar as it requires the processing of personal data to be lawful, as LinkedIn:
   • Did not validly rely on Article 6(1)(a) GDPR (consent) to process third party data of its members for the purpose of behavioural analysis and targeted advertising on the basis that the consent obtained by LinkedIn was not freely given, sufficiently informed or specific, or unambiguous.
   • Did not validly rely on Article 6(1)(f) GDPR (legitimate interests) for its processing of first party personal data of its members for behavioural analysis and targeted advertising, or third party data for analytics, as LinkedIn’s interests were overridden by the interests and fundamental rights and freedoms of data subjects.
   • Did not validly rely on Article 6(1)(b) GDPR (contractual necessity) to process first party data of its members for the purpose of behavioural analysis and targeted advertising.
2. Articles 13(1)(c) and 14(1)(c) GDPR, in respect of the information LinkedIn provided to data subjects regarding its reliance on Article 6(1)(a), Article 6(1)(b) and Article 6(1)(f) GDPR as lawful bases.
3. Article 5(1)(a) GDPR, the principle of fairness.

DPC Deputy Commissioner Graham Doyle commented:

“The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subjects’ fundamental right to data protection.”

The DPC will publish the full decision and further related information in due course.