Irish Data Protection Commission Fines LinkedIn €310 Million for GDPR Violations Related to Data Use in Targeted Advertising
Ireland’s Data Protection Commission (DPC) announced a €310 million penalty against LinkedIn, finding the platform in violation of the EU’s General Data Protection Regulation (GDPR) for its handling of member data in behavioral analysis and targeted advertising. The DPC, acting as LinkedIn’s lead supervisory authority due to its Irish headquarters, initiated this investigation following a complaint lodged in 2018 by French nonprofit La Quadrature Du Net with France’s data protection regulator.
According to the DPC, LinkedIn failed to meet GDPR requirements for a valid legal basis in its data processing practices. LinkedIn had attempted to justify its data usage for targeted advertising under consent, contractual necessity, and legitimate interests. However, the DPC concluded that LinkedIn’s approach did not satisfy GDPR standards on any of these grounds. Specifically, user consent was deemed neither fully informed nor freely given, and LinkedIn’s reliance on legitimate interests was outweighed by member rights and freedoms. Additionally, the DPC ruled that LinkedIn could not depend on contractual necessity for processing data in this context.
While the full decision has yet to be published, the DPC’s press release underscored the importance of transparency, fairness, and lawful basis in data processing practices. DPC Deputy Commissioner Graham Doyle emphasized that processing personal data without an appropriate legal basis represents a significant violation of users’ rights under the GDPR.
In addition to the fine, LinkedIn received a reprimand and has been ordered to bring its data practices into compliance within three months. The platform has not yet announced whether it will appeal the decision. The case highlights a strong regulatory stance on data transparency and may lead other companies to scrutinize their own data processing practices, particularly in targeted advertising that involves third-party data.