On October 24, 2024, the Irish Data Protection Commissioner (DPC) announced its decision in which it fined LinkedIn Ireland Unlimited Company €310 million for violating the General Data Protection Regulation (GDPR) following a complaint initially made to the French data protection authority (CNIL).

Background to the decision

The DPC noted that the decision relates to a complaint-based inquiry, which commenced on August 20, 2018, following a complaint made by the French non-profit organization, La Quadrature Du Net. The complaint was initially made to CNIL and thereafter provided to the DPC in its role as the lead supervisory authority for LinkedIn, which acts as the controller for the processing of personal data at issue.

The inquiry examined LinkedIn's processing of personal data for the purposes of behavioral analysis and targeted advertising of users who have created LinkedIn profiles (members). The decision, notified to LinkedIn on October 22, 2024, concerns the lawfulness, fairness, and transparency of this processing.

Findings of the DPC

The DPC submitted a draft decision to the GDPR cooperation mechanism in July 2024, as required under Article 60 of the GDPR. No objections to the DPC’s draft decision were raised.

The DPC found that LinkedIn violated Articles 6(1)(a), 6(1)(b), 6(1)(f), 5(1)(a), 13(1)(c), and 14(1)(c) of the GDPR for:

• failing to validly rely on consent to process third-party data of its members for behavioral analysis and targeted advertising on the basis that the consent obtained by LinkedIn was not freely given, sufficiently informed, specific, or unambiguous;
• failing to validly rely on legitimate interests to process first-party personal data of its members for behavioral analysis and targeted advertising, or third-party data for analytics, as LinkedIn’s interests were overridden by the interests and fundamental rights and freedoms of data subjects;
• failing to validly rely on contractual necessity to process first-party data of its members for the purpose of behavioral analysis and targeted advertising;
• failing to provide information LinkedIn provided to data subjects regarding its reliance on Articles 6(1)(a), 6(1)(b), and 6(1)(f) GDPR as lawful bases; and
• violation of the principle of fairness.

Outcomes

In light of the above, the DPC issued the following corrective powers to LinkedIn:

• a reprimand pursuant to Article 58(2)(b) of the GDPR;
• three administrative fines totaling €310 million pursuant to Articles 58(2)(i) and 83 of the GDPR; and
• an order for LinkedIn to bring its processing into compliance with the GDPR pursuant to Article 58(2)(d) of the GDPR.

You can read the press release here.