Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
The Data Protection Commission (DPC) has reprimanded and fined LinkedIn Ireland €310 million and ordered it to bring its data processes into line with European law after finding fault with the legal basis the Microsoft-owned social media company relied upon to process its members’ data for advertising and to track behaviours.
The DPC – the lead European supervisory authority for LinkedIn, which has its EU headquarters in Dublin – issued the ruling on foot of an investigation based on a complaint originally made to the French data watchdog in 2018.
In a statement on Thursday, the DPC said LinkedIn had obtained the consent of its users for their personal data to be sent to third parties for the purposes of generating targeting advertising. However, it found that consent was not “freely given, sufficiently informed or specific, or unambiguous”, as is required under GDPR, for the information to be used for these purposes.
It is the fifth largest fine the Irish regulatory has issued under the General Data Protection Regulation (GDPR) and the sixth largest by any EU authority since the regime was introduced in 2018.
“The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subjects’ fundamental right to data protection,” said Graham Doyle, DPC deputy commissioner.
Following the DPC’s statement, a spokeswoman for LinkedIn said: “Today the Irish Data Protection Commission (IDPC) reached a final decision on claims from 2018 about some of our digital advertising efforts in the EU. While we believe we have been in compliance with the General Data Protection Regulation (GDPR), we are working to ensure our ad practices meet this decision by the IDPC’s deadline.”
The fine is lower than the $425 million (€393.4 million) Microsoft said it had set aside last year to cover the cost of penalties arising from the case, which kicked off in 2018 with a complaint from a French non-profit to that country’s data protection regulator.
The tech giant told investors in an update in June 2023 that it had seen a non-public version of the DPC’s draft decision, indicating the level of penalty it could face. Microsoft said it would “dispute the legal basis for, and the amount of, the proposed fine and will continue to defend its compliance with GDPR”.
Revenues at the main Irish unit of LinkedIn, which also manages the company’s operations in Europe, the Middle East and Africa, jumped more than 15 per cent to $5.3 billion (€4.97 billion) in 2022. The most recent accounts for LinkedIn Ireland Unlimited Company show a 45 per cent decline in pretax profits to $99.5 million (€93.4 million) in 2022.
In a note attached to the accounts, the Irish unit’s directors said LinkedIn’s ultimate parent, Microsoft, has indemnified the company against all potential fines directed by the DPC. “Accordingly, there is no financial impact on the company,” they said.
English