LinkedIn is facing a significant penalty of €310 million ($334 million) after the Irish Data Protection Commission (DPC) found that the professional networking platform had conducted unauthorized behavioral analyses of its members’ personal data for targeted advertising purposes. The DPC’s decision asserts that LinkedIn violated the General Data Protection Regulation (GDPR) by failing to obtain necessary consent, demonstrate legitimate interest, or establish a contractual necessity to process the data collected by the platform and its third-party partners.
The regulatory body has also reprimanded LinkedIn and issued an order requiring the company to collect and process user data in compliance with the GDPR. According to DPC Deputy Commissioner Graham Doyle, the unauthorized processing of personal data without a valid legal basis constitutes a fundamental breach of an individual’s right to data protection. “The lawfulness of processing is a critical aspect of data protection law, and any processing of personal data without an appropriate legal basis is a clear and serious infringement of a data subject’s fundamental right to data protection,” Doyle emphasized.
The DPC’s decision is the result of a complaint lodged by the French non-profit organization, La Quadrature Du Net, in 2018. The initial inquiry, which began in 2018, aimed to determine whether LinkedIn processed user data in a lawful, fair, and transparent manner. The matter was initially raised with the French Data Protection Authority before being transferred to the DPC, given that LinkedIn’s European headquarters is based in Ireland.
