Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
The Data Protection Commission (DPC) has reprimanded and fined LinkedIn Ireland €310 million and ordered it to bring its data processes into line with European law after finding fault with the legal basis the Microsoft-owned social media company relied upon to process its members’ data for advertising and to track behaviours.
The DPC – the lead European supervisory authority for LinkedIn, which has its EU headquarters in Dublin – issued the ruling on foot of an investigation based on a complaint originally made to the French data watchdog in 2018.
In a statement on Thursday, the DPC said LinkedIn had obtained the consent of its users for their personal data to be sent to third parties for the purposes of generating targeted advertising. However, it found that consent was not “freely given, sufficiently informed or specific, or unambiguous”, as is required under General Data Protection Regulation (GDPR), for the information to be used for these purposes.
It is the fifth-largest fine the Irish regulatory body has issued under GDPR and the sixth largest by any EU authority since the regime was introduced in 2018. LinkedIn Ireland, which was notified of the DPC decision on Tuesday, has 30 days to appeal the decision.
“The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subjects’ fundamental right to data protection,” said Graham Doyle, DPC deputy commissioner.
Following the DPC’s statement, a spokeswoman for LinkedIn said: “Today the Irish Data Protection Commission (IDPC) reached a final decision on claims from 2018 about some of our digital advertising efforts in the EU. While we believe we have been in compliance with the General Data Protection Regulation (GDPR), we are working to ensure our ad practices meet this decision by the IDPC’s deadline.”
Asked whether the company intends to appeal the decision, a spokeswoman for LinkedIn said: “Our focus right now is on ensuring our ad practices meet this decision by the IDPC’s deadline.”
“This is another substantial fine issued by the DPC which aligns with similar European enforcement against Meta and other companies for targeted advertisements sent without the requisite consent meeting GDPR standards,” said David Hackett, partner and head of Data Protection at law firm Addleshaw Goddard Ireland. “GDPR introduced strict requirements that consent for processing of personal information needs to demonstrate that such consent was freely given and fully informed.”
The fine is lower than the $425 million (€393.4 million) Microsoft said it had set aside last year to cover the cost of penalties arising from the case, which kicked off in 2018 with a complaint from a French non-profit to that country’s data protection regulator.
The tech giant told investors in an update in June 2023 that it had seen a non-public version of the DPC’s draft decision, indicating the level of penalty it could face. Microsoft said it would “dispute the legal basis for, and the amount of, the proposed fine and will continue to defend its compliance with GDPR”.
Revenues at the main Irish unit of LinkedIn – which also manages the company’s operations in Europe, the Middle East and Africa – jumped more than 15 per cent to $5.3 billion (€4.97 billion) in 2022. The most recent accounts for LinkedIn Ireland Unlimited Company show a 45 per cent decline in pretax profits to $99.5 million (€93.4 million) in 2022.
In a note attached to the accounts, the Irish unit’s directors said LinkedIn’s ultimate parent, Microsoft, has indemnified the company against all potential fines directed by the DPC. “Accordingly, there is no financial impact on the company,” they said.