Microsoft-owned LinkedIn has been whacked with a €310m (£258m) fine and ordered to overhaul its data processing practices, after being found in breach of GDPR over its use of personal data for targeted advertising and behavioural analysis.
The penalty, which also includes a reprimand, follows a full-scale investigation by the Irish Data Protection Commission, in its role as the lead EU supervisory authority for LinkedIn, and a lengthly legal process.
The case dates back to a 2018 complaint to French regulator CNIL. The Irish DPC eventually ruled that the consent obtained by LinkedIn from its users for advertising purposes was not freely given, sufficiently informed or specific, or unambiguous.
The decision was first flagged up by Microsoft in a statement published in the investor relations section of its website in June 2023. At the time, the tech giant said: “After review and analysis, the company will increase its existing reserve for the matter and, based on current exchange rates take a charge of approximately $425m in the fourth quarter of fiscal year 2023.
“The company intends to dispute the legal basis for, and the amount of, the proposed fine and will continue to defend its compliance with GDPR. There is no set timeline as to when the Irish DPC will issue a final decision.”
The case pre-dates an ongoing European Commission investigation into LinkedIn’s advertising practices under the new Digital Services Act, designed to ensure larger platforms’ compliance with transparency and algorithm accountability, among other measures.
In a statement, the regulator said that it had submitted a draft decision to the European GDPR co-operation mechanism, as required under Article 60 of the regulation. It added: “No objections to the DPC’s draft decision were raised. The DPC is grateful for the co-operation and assistance of its peer EU/EEA supervisory authorities in this case.”
DPC deputy commissioner Graham Doyle said: “The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subject’s fundamental right to data protection.”
A LinkedIn spokesperson said: “Today the Irish DPC reached a final decision on claims from 2018 about some of our digital advertising efforts in the EU.
“While we believe we have been in compliance with GDPR, we are working to ensure our ad practices meet this decision by the deadline.”
Related stories
Brussels opens probe of LinkedIn online ad targeting
TikTok insists ‘we’ve changed’ following €345m EU fine
Meta ruling blows US data transfers out of the water
Meta rocked by EU data transfer block and €1.2bn fine
LinkedIn mass hack attack triggers ransom demands
Microsoft vows to fight $425m GDPR fine for LinkedIn
EU data chief steps up attack on ‘pervasive’ online ads
