Irish Data Protection Commission fined LinkedIn €310M after finding its use of behavioral data for targeted ads violated privacy laws, requiring compliance changes.
The DPC’s inquiry was launched following an initial complaint to the French Data Protection Authority.
“The inquiry examined LinkedIn’s processing of personal data for the purposes of behavioural analysis[1] and targeted advertising[2] of users who have created LinkedIn profiles (members).” reads the DPC’s announcement. “The decision includes a reprimand, an order for LinkedIn to bring its processing into compliance, and administrative fines totalling €310 million.”
LinkedIn’s reliance on user consent was deemed insufficiently informed, and its interests were found to override user rights and freedoms. The Irish Agency also mandates LinkedIn to revise its data processing to align with GDPR standards.
The probe claims that LinkedIn infringed GDPR Article 6 GDPR and Article 5(1)(a), Articles 13(1)(c) and 14(1)(c), and Article 5(1)(a).
Alongside the €310M fine, the authority gave LinkedIn three months to ensure GDPR compliance, requiring clear, freely given, informed consent and fair, transparent data processing.
“The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subject’s fundamental right to data protection.” said DPC Deputy Commissioner Graham Doyle.
In September, the Irish Data Protection Commission (DPC) fined Meta Platforms Ireland Limited (MPIL) €91 million ($100 million) for storing the passwords of hundreds of millions of users in plaintext, violating data protection regulations.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, privacy)