DPC Fines LinkedIn €310M For Unlawful Data Practices

The Irish Data Protection Commission (DPC) announced today that it has fined LinkedIn €310 million for violations of the General Data Protection Regulation (GDPR) concerning user data processing practices.

The DPC, acting as the lead supervisory authority under the GDPR for LinkedIn in Europe, investigated LinkedIn’s use of personal data for behavioral analysis and targeted advertising.

The final decision found that the platform’s data processing practices violated several key provisions of the GDPR, specifically regarding lawfulness, fairness, and transparency. The inquiry revealed that LinkedIn did not obtain valid consent from its users for processing third-party data for targeted advertising.

The DPC found that the consent collected was not freely given, sufficiently informed, or specific. LinkedIn also failed to justify its reliance on legitimate interests, and contractual necessity, for the processing of first-party and third-party data.

Additionally, LinkedIn faced criticism last month for using U.S. user data to train AI models without clear consent, further raising concerns over its data practices.

Dr. Des Hogan and Dale Sunderland, Commissioners for Data Protection, concluded that LinkedIn’s data practices not only lacked proper legal basis but also failed to meet the GDPR’s fairness and transparency requirements.

In response to the findings, DPC Deputy Commissioner Graham Doyle stated, “The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subject’s fundamental right to data protection.”

As a result, the DPC issued a reprimand and ordered LinkedIn to bring its data processing activities into full compliance with the GDPR. Along with the €310 million fine, the decision emphasized the importance of transparency in data protection.