Irish Watchdog Levies Record €310 Million Penalty on LinkedIn for Breaching GDPR
The regulatory authority in Ireland has imposed a fine of €310 million ($335 million) on LinkedIn for breaching the privacy of its users through the utilization of personal information for targeted advertising based on behavioral analysis.
“The investigation scrutinized the handling of personal data by LinkedIn for the objective of behavioral analysis and targeted advertising towards users having profiles on the platform (members),” the Data Protection Commission (DPC) stated. “The ruling […] pertains to the legality, impartiality, and openness of this data processing.”
The fine has been enforced under the General Data Protection Regulation (GDPR) of the European Union (E.U.), a legislation concerning data privacy that establishes guidelines for the gathering, handling, storage, and transfer of personal data in the E.U. and the European Economic Area (EEA). This regulation came into force on May 25, 2018.
The investigation, which was initiated following a complaint lodged with the French Data Protection Authority in 2018, discovered that LinkedIn breached three distinct GDPR principles related to clarity and impartiality: Article 6 GDPR and Article 5(1)(a), Articles 13(1)(c) and 14(1)(c), and Article 5(1)(a).
This encompasses not obtaining explicit consent from users or adequately informing them before processing data from third parties regarding its members and employing valid interests as the legal basis for processing primary data for targeted advertising. In addition to the penalty, LinkedIn has been given a three-month period to align its European operations with the GDPR.
The DPC emphasized that consent acquired in a manner compliant with GDPR must be voluntary, specific, detailed, and a clear indication of the data subject’s preferences. It further stated that the processing must be conducted in a transparent and equitable manner.
“The legality of data processing is a crucial element of data protection regulations, and the processing of personal data without an appropriate legal justification is a blatant and severe infringement of an individual’s fundamental right to data protection,” remarked DPC Deputy Commissioner Graham Doyle in a declaration.
Responding to the situation, the networking platform owned by Microsoft asserted that “while maintaining our adherence to the General Data Protection Regulation (GDPR), we are actively ensuring that our advertising practices align with the guidelines set forth by the IDPC before the deadline.”
In a related development, Austrian privacy non-profit organization noyb (an acronym for None Of Your Business) filed a grievance with the data protection authority of France against the social media company Pinterest for resorting to “valid interests” to monitor user activities by default to deliver targeted advertisements without their explicit consent.
“Instead of seeking opt-in consent as per Article 6(1)(a) GDPR, it falsely argues to possess a ‘valid interest’ in processing individuals’ personal data as per Article 6(1)(f) GDPR,” noyb explained. “The tracking feature is activated by default and necessitates an objection (opt-out) from each user to halt it.”
A spokesperson from Pinterest communicated to TechCrunch that its “strategy for personalized advertising conforms to the GDPR requirements.”
About Author
