Irish Watchdog Imposes Record €310 Million Fine on LinkedIn for GDPR Violations

On October 25, 2024, the Irish Data Protection Commission (DPC) imposed a significant fine of €310 million ($335 million) on LinkedIn for infringing user privacy through inappropriate behavioral analysis of personal data for targeted advertising. This action arises from an inquiry focused on LinkedIn’s methods of processing members’ personal data, with particular attention paid to the principles enshrined in the European Union’s General Data Protection Regulation (GDPR).

The investigation was initiated in response to a complaint filed in 2018 with the French Data Protection Authority, leading to the discovery of multiple violations by LinkedIn. Specifically, the DPC highlighted breaches related to transparency and fairness, referencing several GDPR articles that dictate proper data handling practices, including Articles 6, 5(1)(a), 13(1)(c), and 14(1)(c). LinkedIn was found to fail in obtaining explicit user consent and in inadequately informing users prior to utilizing their data, particularly regarding third-party data processing.

To address these violations, LinkedIn must revise its advertising practices to align them with GDPR standards within three months of the penalty announcement. The DPC emphasized that compliance necessitates consent that is freely given, specific, informed, and unambiguous as required by the law. Deputy Commissioner Graham Doyle asserted the importance of lawful processing as a core tenet of data protection, indicating that unauthorized processing is a serious infringement of individual rights.

In its response to the fine, LinkedIn, which is owned by Microsoft, expressed its belief that it had been complying with GDPR regulations and indicated its commitment to updating its ad practices to meet the DPC’s demands.

Additionally, the article reports on a related case where the Austrian privacy advocacy organization noyb filed a complaint against Pinterest. The organization accused the platform of improperly utilizing “legitimate interests” to track user activity by default, enabling targeted ads without explicit consent from users. According to noyb, Pinterest’s approach contradicts the requirement for opt-in consent under Article 6(1)(a) of the GDPR and unjustly relies on Article 6(1)(f), which pertains to legitimate interests.

In response to these allegations, Pinterest maintains that its personalized advertising practices are compliant with GDPR regulations, asserting the legality of its current data processing strategies.

The developments surrounding LinkedIn and Pinterest highlight ongoing scrutiny regarding data privacy and compliance with GDPR, illustrating the changing landscape of digital advertising and user privacy in the European context. These cases underscore the emerging challenges and expectations for companies operating within or dealing with users in the EU regarding the handling and processing of personal data.