Ireland's Data Protection Commission (DPC) has hit LinkedIn with a €310 million fine after ruling it misused personal data for behavioral analysis and targeted advertising.
The ruling follows a complaint submitted to the French data protection authority in 2018 by privacy non-profit La Quadrature Du Net, and later referred to the DPC as the lead supervisory authority for LinkedIn.
The personal data involved both first-party data from members themselves and data obtained via LinkedIn's third-party partners.
Processing this sort of data requires one of a few legal justifications, such as consent, contractual necessity, or legitimate interests, but certain conditions must apply, such as informed consent, fairness, and transparency.
According to the DPC, LinkedIn failed to satisfy these conditions.
In terms of consent, the regulator said this wasn't freely given, sufficiently informed, or specific or unambiguous.
Meanwhile, LinkedIn couldn't rely on the legitimate interests argument, according to the DPC as the fundamental rights and freedoms of users should trump those of LinkedIn itself; and nor did contractual necessity apply.
"The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subject's fundamental right to data protection," said DPC deputy commissioner Graham Doyle.
The decision also sees LinkedIn reprimanded and ordered to bring its practices into line with the GDPR. LinkedIn has accepted the findings.
"Today the Irish Data Protection Commission (IDPC) reached a final decision on claims from 2018 about some of our digital advertising efforts in the EU," it said in a statement.
"While we believe we have been in compliance with the General Data Protection Regulation (GDPR), we are working to ensure our ad practices meet this decision by the IDPC's deadline."
While dwarfed by the €1.55 billion penalty imposed against Meta last year, the LinkedIn fine is one of the largest ever imposed against a tech firm by the DPC for GDPR breaches.
Javvad Malik, lead cybersecurity awareness advocate at KnowBe4, said it's good to see regulators actively enforcing and standing up for user rights. Malik added that the incident highlights the importance of building robust data governance frameworks.
"It does serve as a reminder that relying on 'legitimate interests' as a legal basis is a risky strategy and can lead to significant penalties and reputational damage," he said.
“Ultimately, this ruling showcases how vital it is for organisations to reassess their business models and the ethics around targeted advertising. Rather they need to shift towards more user-centric models where users are clearly informed and given the ability to make decisions that are best for them."
