What you need to know
- Microsoft-owned LinkedIn faces a €310 million ($334 million) fine by the European Union for violating data processing laws.
- The GDPR violations fall under Article 5 and Article 6, which require personal data to be handled in a lawful manner that protects people’s privacy.
- The decision results in LinkedIn receiving a reprimand, a fine of €310 million ($334 million), and an order to the company to bring data processing into compliance.
LinkedIn received a €310 million ($334 million) fine from the European Union (EU) for violating data protection laws. Alongside that fine, the Microsoft-owned LinkedIn received a reprimand and an order to bring data processing into compliance. The inquiry that resulted in a fine and other forms of punishment centered around LinkedIn’s processing of personal data “for the purposes of [behavioral] analysis and targeted advertising of users who have created LinkedIn profiles.”
Commissioners for Data Protection, Dr Des Hogan and Dale Sunderland notified LinkedIn of the decision this week.
“The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subjects’ fundamental right to data protection,” said DPC Deputy Commissioner Graham Doyle.
Specifically, the decision notes the following infringements of GDPR:
- Article 6 GDPR and Article 5 GDPR, insofar as it requires the processing of personal data to be lawful, as LinkedIn:
- Did not validly rely on Article 6 GDPR (consent) to process third party data of its members for the purpose of [behavioral] analysis and targeted advertising on the basis that the consent obtained by LinkedIn was not freely given, sufficiently informed or specific, or unambiguous.
- Did not validly rely on Article 6 GDPR (legitimate interests) for its processing of first party personal data of its members for [behavioral] analysis and targeted advertising, or third party data for analytics, as LinkedIn’s interests were overridden by the interests and fundamental rights and freedoms of data subjects.
- Did not validly rely on Article 6 GDPR (contractual necessity) to process first party data of its members for the purpose of [behavioral] analysis and targeted advertising.
- Articles 13 and 14 GDPR, in respect of the information LinkedIn provided to data subjects regarding its reliance on Article 6(1)(a), Article 6(1)(b) and Article 6(1)(f) GDPR as lawful bases.
- Article 5 GDPR, the principle of fairness.
In layman’s terms, LinkedIn did not get consent from its users to use data for advertising and analyzing customer behavior. Additionally, LinkedIn did not show a legitimate interest or need to gather and process the customer data in the way it did.
This week’s decision by the EU follows a complaint made in August 2018 by French non-profit organisation, La Quadrature Du Ne. The complaint was first looked at by the French Data Protection Authority before the DPC took a look.