Irish Data Protection Commission fines LinkedIn Ireland EUR 310 million for GDPR violations

On October 24, 2024, the Irish Data Protection Commission (DPC) issued a press release announcing its EUR 310 million fine of LinkedIn over the platform’s use of member personal data in breach of the EU’s General Data Protection Regulation (GDPR). In particular, the DPC found that LinkedIn did not have a valid lawful basis for conducting behavioural analysis and targeted advertising.

The DPC, in its role as the lead supervisory authority for the Irish headquartered LinkedIn, led an inquiry into the company’s practices following an August 2018 complaint filed with the French data protection regulator by the non-profit organization La Quadrature Du Net.

The DPC has not yet released the full text or details of its decision, but the press release reiterates the importance of adhering to the fundamental principles of the GDPR – namely that concerning lawfulness, fairness and transparency – and acts as a reminder of the extensive powers of the regulators.

The Decision

Companies Must Exercise Caution When Choosing A Lawful Basis For Processing
One of the basic tenets of the GDPR is that personal data should only be processed where a company can justify such processing on the basis of one of a prescribed list of “lawful bases”. Indeed, in the DPC’s press release, DPC deputy commissioner Graham Doyle reiterates that “the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subjects’ fundamental right to data protection.”

According to Article 6(1) of the GDPR, the processing can be considered as lawful if it is based, inter alia, on consent, contractual necessity or legitimate interests. Whilst LinkedIn sought to rely on each of these for its use of member personal data for behavioural analysis and targeted advertising, the DPC concluded that LinkedIn failed in each instance to meet the applicable threshholds. To take each in turn:

• Consent: LinkedIn sought to rely on consent for its use of third party data of its members. This consent however was not, as required by the GDPR, freely given, sufficiently informed, specific, and unambiguous. In other words, users were not fully aware of or able to freely choose whether their data could be used for such purposes. 
• Legitimate interests: LinkedIn relied on legitimate interests for its use of first-party data of its members for behavioural analysis and targeted advertising, and third-party data for analytics. However, the DPC considered that the rights and freedoms of the members outweighed LinkedIn’s commercial interests, rendering reliance on this basis also unlawful.
• Contractual necessity: In addition, the DPC found that LinkedIn could not rely on this lawful basis, which allows data processing when necessary for the performance of a contract.

The DPC has not yet published its full decision, so we do not have a clear picture as to why LinkedIn’s arguments that it could rely on these lawful bases failed. It will be interesting to see how much the decision follows the same lines of reasoning as the Court of Justice of the European Union (CJEU) in Meta Platform and Others v German Federal Cartel Office, which considered the appropriateness of relying on each of the above lawful bases in the context of personalized advertising on a social network. Please see our blog post for more information on the CJEU’s decision.

Companies Should Be Transparent and Fair in Their Use of Personal Data
The DPC found that LinkedIn breached the GDPR’s transparency obligations, as it did not provide clear, transparent information to users about its reliance on these lawful bases. Users were not properly informed of how their data would be processed or the specific legal grounds for doing so.

Finally, the DPC found that LinkedIn violated the principle of fairness in data processing. This principle requires that personal data must be handled in a way that is not detrimental, discriminatory, unexpected or misleading, and LinkedIn’s practices, as determined by the DPC, did not meet these criteria.

What Next?

As well as the fine, the DPC has issued a reprimand, and has ordered LinkedIn to bring its data processing into compliance within three months. It is not yet clear whether LinkedIn will appeal the decision.

Companies should await the text of the final decision in order to assess the appropriateness of their own lawful bases, in particular where they are conducting targeted advertising using third-party data.

At Goodwin, we are dedicated to helping companies navigate the complexities of their data protection requirements, in the EU, UK and globally. We have experts who understand the challenges posed by these laws. Goodwin provides tailored support to help businesses anticipate and meet their obligations.

We would like to thank Lise Madray for her assistance with this alert.

 

This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.