LinkedIn Fined for Privacy Violations: A $356 Million GDPR Penalty

Microsoft-owned LinkedIn has been hit with a hefty €310 million fine (around $356 million) by Ireland's Data Protection Commission (DPC) for violating the European Union's General Data Protection Regulation (GDPR) concerning its ad-tracking practices.

LinkedIn Fined for Privacy Violations

EU GDPR Violation

The DPC's decision stems from multiple GDPR violations related to the lawfulness, fairness, and transparency of LinkedIn's data processing for targeted advertising. The fine marks a significant blow to the professional networking giant.

€310 Million Fine

The €310 million fine represents a substantial penalty and places LinkedIn among the top GDPR fines levied against major tech companies. It underscores the seriousness of data privacy breaches and the EU's commitment to enforcing GDPR regulations.

Invalid Legal Basis for Data Processing

The DPC determined that LinkedIn's justifications for using user data for tracking ads were invalid. The company claimed reliance on consent, legitimate interests, and contractual necessity, but these were deemed insufficient under GDPR principles. LinkedIn's failure to properly inform users about its data practices further compounded the violation.

Lack of Transparency and Fairness

The DPC's decision also highlighted LinkedIn's failure to comply with the GDPR's principles of transparency and fairness. These principles require organizations to be clear and open about their data processing activities and to ensure fair and ethical treatment of user data.

DPC Decision

The DPC deputy commissioner, Graham Doyle, emphasized the significance of lawful data processing: "The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subjects' fundamental right to data protection."

Complaint Originated in France

The case against LinkedIn originated in France in 2018 when the digital rights non-profit La Quadrature Du Net filed a complaint. The French data protection authority subsequently passed the complaint to the DPC, as Ireland serves as the lead oversight body for Microsoft's GDPR compliance.

DPC as Lead Oversight Body

Ireland's role as lead oversight body for Microsoft's GDPR compliance makes the DPC responsible for overseeing the company's data protection practices across the EU. This responsibility includes investigating complaints and imposing sanctions for violations.

Three Months to Comply with GDPR

In addition to the fine, LinkedIn has been given three months to bring its European operations into compliance with the GDPR. This includes revising its data processing practices and ensuring transparency for users. Failure to comply could lead to further penalties.

LinkedIn's Statement

LinkedIn acknowledged the DPC's decision and stated: "Today the Irish Data Protection Commission (IDPC) reached a final decision on claims from 2018 about some of our digital advertising efforts in the EU. While we believe we have been in compliance with the General Data Protection Regulation (GDPR), we are working to ensure our ad practices meet this decision by the IDPC's deadline."

Top 10 GDPR Penalties

The €310 million fine positions LinkedIn among the top ten largest GDPR penalties imposed on big tech companies, highlighting the significant financial consequences of data privacy violations.

Summary

• LinkedIn fined €310 million by Ireland's Data Protection Commission for GDPR violations related to ad-tracking practices.
• DPC found LinkedIn's legal justifications for data processing invalid and its data practices lacking transparency and fairness.
• The fine underscores the seriousness of data privacy breaches and the EU's commitment to enforcing GDPR regulations.
• LinkedIn has been given three months to bring its European operations into compliance with the GDPR.