Bad news for LinkedIn in Europe where the Microsoft-owned social network has been reprimanded and fined €310 million for privacy violations related to its tracking ads business.
The administrative penalties, which are worth around $356 million at current exchange rates, have been issued by Ireland’s Data Protection Commission (DPC) under the European Union’s General Data Protection Regulation (GDPR). The regulator found a raft of breaches, including beaches to the lawfulness, fairness and transparency of its data processing in this area.
The GDPR requires that uses of people’s information have a proper legal basis. In this case, the justifications LinkedIn had relied upon to run its tracking ads business were found to be invalid. It also did not properly inform users about its uses of their information, per the DPC’s decision.
LinkedIn had sought to claim (variously) “consent”-, “legitimate interests”- and “contractual necessity”-based legal bases for processing people’s information — when obtained directly and/or from third parties — to track and profile its users for behavioral advertising. However, the DPC found none were valid. LinkedIn also failed to comply with the GDPR principles of transparency and fairness.
Commenting in a statement, DPC deputy commissioner Graham Doyle said: “The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subjects’ fundamental right to data protection.”
The size of the sanction catapults the professional social network into a mid table position in the top ten biggest GDPR penalties on Big Tech. And while this is not the first time LinkedIn has been slapped for regional data protection violations, it is certainly its most significant sanction to date. (Albeit, the company was keen to flag that the size of the fine was less than the amount Microsoft set aside in an earlier 10-K disclosure alerting investors that it expected a sanction.)
The case against LinkedIn originated with a complaint in France in 2018 by the digital rights non-profit La Quadrature Du Net. The country’s data protection authority then passed the complaint to the DPC, on account of its role as lead oversight body for Microsoft’s GDPR compliance.
The DPC instigated a complaint-based investigation in August 2018 before finally going on to submit its draft decision to other interested data protection authorities almost a full six years later (in July 2024). After no objections were raised, the decision was finalized and the enforcement has now been made public.
As well as being fined, LinkedIn has been given three months to bring its European operations into compliance with the GDPR.
LinkedIn spokesman Jonny Wing pointed TechCrunch to a statement put out on the company’s press room regarding the sanction in which it wrote: “Today the Irish Data Protection Commission (IDPC) reached a final decision on claims from 2018 about some of our digital advertising efforts in the EU. While we believe we have been in compliance with the General Data Protection Regulation (GDPR), we are working to ensure our ad practices meet this decision by the IDPC’s deadline.”