Irish Data Protection Commission fines LinkedIn Ireland €310 million

The Irish Data Protection Commission (DPC) has today announced its final decision following an inquiry into LinkedIn Ireland Unlimited Company (LinkedIn). This inquiry was launched by the DPC, in its role as the lead supervisory authority for LinkedIn, following a complaint initially made to the French Data Protection Authority.

The inquiry examined LinkedIn’s processing of personal data for the purposes of behavioural analysis^[1] and targeted advertising^[2] of users who have created LinkedIn profiles (members). The decision, which was made by the Commissioners for Data Protection, Dr Des Hogan and Dale Sunderland, and notified to LinkedIn on 22 October 2024, concerns the lawfulness, fairness and transparency of this processing. The decision includes a reprimand, an order for LinkedIn to bring its processing into compliance, and administrative fines totalling €310 million.

The DPC submitted a draft decision to the GDPR cooperation mechanism in July 2024, as required under Article 60 of the GDPR^[3]. No objections to the DPC’s draft decision were raised. The DPC is grateful for the cooperation and assistance of its peer EU/EEA supervisory authorities in this case.

The DPC’s final decision records the following findings of infringement of the GDPR:

1. Article 6 GDPR and Article 5(1)(a) GDPR, insofar as it requires the processing of personal data to be lawful, as LinkedIn:
   • Did not validly rely on Article 6(1)(a) GDPR (consent) to process third party data of its members for the purpose of behavioural analysis and targeted advertising on the basis that the consent obtained by LinkedIn was not freely given, sufficiently informed or specific, or unambiguous.
   • Did not validly rely on Article 6(1)(f) GDPR (legitimate interests) for its processing of first party personal data of its members for behavioural analysis and targeted advertising, or third party data for analytics, as LinkedIn’s interests were overridden by the interests and fundamental rights and freedoms of data subjects.
   • Did not validly rely on Article 6(1)(b) GDPR (contractual necessity) to process first party data of its members for the purpose of behavioural analysis and targeted advertising.
2. Articles 13(1)(c) and 14(1)(c) GDPR, in respect of the information LinkedIn provided to data subjects regarding its reliance on Article 6(1)(a), Article 6(1)(b) and Article 6(1)(f) GDPR as lawful bases.
3. Article 5(1)(a) GDPR, the principle of fairness.

DPC Deputy Commissioner Graham Doyle commented:

“The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subject's fundamental right to data protection.”

The DPC will publish the full decision and further related information in due course.

Further information

This decision relates to a complaint-based inquiry, which was commenced on 20 August 2018, following a complaint made by the French non-profit organisation, La Quadrature Du Net. The complaint was initially made to the French Data Protection Authority and thereafter provided to the DPC in its role as the lead supervisory authority for LinkedIn, which acts as the controller for the processing of personal data at issue.

This inquiry examined the lawfulness, fairness and transparency of the processing of the personal data of users of the LinkedIn platform for the purposes of behavioural analysis and targeted advertising. The personal data in question encompassed data provided directly to LinkedIn by its members (first-party data) and data obtained via its third-party partners relating to its members (third-party data).

The GDPR requires processing of personal data to be based on one of the legal bases outlined in Article 6(1) GDPR, such as consent, contractual necessity or legitimate interests. Depending on the lawful basis selected by controllers, certain conditions must to be met. For example, any consent obtained must meet the standard required by the GPDR of being a freely given, specific, informed, and an unambiguous indication of the data subject’s wishes.

The GDPR also requires that processing is carried out in a fair manner. Fairness is an overarching principle, which requires that personal data may not be processed in a way that is detrimental, discriminatory, unexpected or misleading to the data subject. An absence of fairness can result in a loss of autonomy of data subjects over their personal data, put them in a position where they may be unable to exercise other GDPR rights, and impact their fundamental rights to privacy and personal data protection.

Transparency is another crucial aspect of data protection, and gives data subjects control over the processing of their personal data. Compliance with transparency provisions by controllers ensures that data subjects are fully informed of the scope and consequences of the processing of their personal data in advance and in a positon to exercise their rights.

The DPC’s final decision exercised the following corrective powers:

• a reprimand pursuant to Article 58(2)(b) GDPR;
• three administrative fines totalling €310 million pursuant to Articles 58(2)(i) and 83 GDPR; and
• an order to LinkedIn to bring its processing into compliance with the GDPR pursuant to Article 58(2)(d).

Notes to Editor

^[1] Behavioural analysis is the entire process whereby information which is provided by, inferred from or observed about an individual is used to inform the advertisements that are targeted to that individual, or is aggregated with other information for the purpose of conducting targeted advertising.

^[2] Targeted advertising is the process by which specific advertisements are targeted to an individual, based on information which is held about the individual, whether provided by them or inferred and/or observed about them.

^[3] Article 60 of the GDPR regulates the cooperation procedure between the Lead Supervisory Authority and the other Concerned Supervisory Authorities.