Resources

Inquiry into LinkedIn Ireland Unlimited Company - October 2024

(IN-18-08-3)

Date of Decision: 22 October 2024

The Decision concerns an Inquiry by the Data Protection Commission (the DPC) into LinkedIn Ireland Unlimited Company (LinkedIn), a data controller with its main establishment in Ireland. The Decision relates to a complaint-based inquiry, which was commenced on 20 August 2018, following a complaint made by the French non-profit organisation, La Quadrature Du Net (the Complaint).

The Complaint was initially made to the French Data Protection Authority, on behalf of affected data subjects pursuant to Article 80(1) GDPR, and later transmitted to the DPC as lead supervisory authority for LinkedIn. The Complaint asserted that LinkedIn had processed certain personal data relating to the data subjects, for the purposes of behavioural analysis and targeted advertising (BA & TA), without a valid legal basis and in an unfair and non-transparent manner.

The DPC commenced a statutory inquiry (the Inquiry), on 20 August 2018, to examine LinkedIn’s compliance with Articles 5(1)(a), 6(1), 13(1)(c), 13(1)(d), 14(1)(c) and 14(2)(b) of the GDPR. The inquiry was commenced pursuant to Section 110 of the Data Protection Act 2018 (the 2018 Act).

Summary of Findings

The Decision concluded that:

  • LinkedIn could not validly rely on Article 6(1)(a) GDPR to process third party data of its members for the purpose of BA & TA, excluding analytics, on the basis that the consent obtained by LinkedIn was not freely given, sufficiently informed or specific, or unambiguous.
  • LinkedIn could not validly rely on Article 6(1)(f) GDPR for its processing of first-party data personal data of its members for BA and TA or third party data for analytics.
  • LinkedIn could not validly rely on Article 6(1)(b) GDPR to process first party data of its members for the purpose of BA & TA.
  • LinkedIn infringed Article 13(1)(c) and 14(1)(c) in respect of the information it provided to data subjects regarding its reliance on Article 6(1)(a), Article 6(1)(b) and Article 6(1)(f) as lawful bases.
  • LinkedIn infringed the principle of fairness in Article 5(1)(a) GDPR.

Corrective Measures

Under Section 113(4)(a) of the 2018 Act, where the DPC adopts a decision (in accordance with Section 113(2)(b)), it must, in addition, make a decision as to whether a corrective power should be exercised in respect of the controller or processor concerned and, if so, the corrective power to be exercised. Article 58(2) GDPR sets out the corrective powers that supervisory authorities may exercise in respect of non- compliance by a controller or processor.

Having carefully considered the infringements identified in the Decision, the DPC decided to exercise certain corrective powers in accordance with Section 115 of the 2018 Act and Article 58(2) GDPR. The corrective powers that the DPC decided were appropriate to address the infringements in the particular circumstances were:

  • Issuing a reprimand to LinkedIn in respect of its infringements of the GDPR identified in the Decision (i.e. Articles 5(1)(a), 6(1), 13(1)(c) and 14(1)(c) GDPR).
  • Imposing an order to LinkedIn to bring its processing into compliance with the GDPR. This order requires:
    • firstly, that LinkedIn to bring its Privacy Policy into compliance with Articles 13(1)(c) and 14(1)(c) GDPR as regards information provided on data processed pursuant to Articles 6(1)(a), 6(1)(b) and 6(1)(f) GDPR, if those legal bases continue to be relied upon by LinkedIn for the purposes of BA & TA and analytics;
    • secondly, that LinkedIn to take the necessary action to bring its processing of personal data for the purpose of BA & TA into compliance with Article 6(1) GDPR, in particular, to take the necessary action to address the findings in the Decision that LinkedIn did not validly rely in Articles 6(1)(a), 6(1)(b) and 6(1)(f) GDPR to carry out the identified processing.
  • Imposing three administrative fines totalling €310 million, which were effective, proportionate and dissuasive, as follows:
    • With regard to LinkedIn’s reliance on the lawful basis in Article 6(1)(a) GDPR, and in respect of LinkedIn’s infringements of Articles 5(1)(a) and 6(1) GDPR for the processing of third party data of its members for BA & TA without a valid lawful basis, a fine of €105 million.
    • With regard to LinkedIn’s reliance on the lawful bases in Articles 6(1)(b) and 6(1)(f) GDPR, and in respect of LinkedIn’s infringements of Articles 5(1)(a) and 6(1) GDPR for the processing of first party data of its members for BA & TA and third party data for analytics without a valid lawful basis, a fine of €110 million.
    • In respect of LinkedIn’s infringements of Article 13(1)(c) GDPR and 14(1)(c) GDPR, a fine of €95 million.

The DPC did not impose a separate fine for the infringement of the Article 5(1)(a) GDPR principle of fairness in circumstances where the infringement was based on conduct that the DPC had already fully taken into account in imposing separate administrative fines.

Prior to its adoption, the DPC submitted a draft of its decision to the Concerned Supervisory Authorities in July 2024, as required under Article 60(3) of the GDPR. The Concerned Supervisory Authorities did not raise any objections (for the purpose of Article 60(4) GDPR) to the draft decision.

For more information, you can download: