Irish data protection authority fines LinkedIn €310 million for GDPR breach

The decision followed an inquiry launched by the DPC after the French Data Protection Authority had submitted an initial complaint from a French non-profit organisation filed in August 2018. The DPC led the investigation in its role as the lead supervisory authority for LinkedIn, as LinkedIn’s EU business operations are headquartered in Ireland.

The inquiry examined LinkedIn’s processing of personal data for the purposes of behavioural analysis and targeted advertising of users who had created LinkedIn profiles. The personal data in question encompassed data provided directly to LinkedIn by its members and data obtained via its third-party partners relating to its members.

The decision concerns the lawfulness, fairness and transparency of the processing of this data. The DPC ordered LinkedIn to bring its processing into compliance with the GDPR and to pay an administrative fine of €310 million.

Nicola Barden, a Dublin-based data protection law expert at Pinsent Masons, commented: “The decision focuses on basic data protection requirements that all controllers should comply with, and regulators tend to take a strict approach to this type of processing.”

The DPC found that LinkedIn did not validly rely on article 6.1 of the GDPR when processing the third party data of its members for the purpose of behavioural analysis and targeted advertising. Article 6.1 of the GDPR outlines the required legal basis for processing of personal data. The legal basis can be based on consent, contractual necessity or legitimate interests.

The DPC said that the consent obtained by LinkedIn from its users was “not freely given, sufficiently informed or specific, or unambiguous”. It also found that there was no contractual necessity for the processing of relevant data and that LinkedIn could also not rely on an overriding interest, as LinkedIn’s interests “were overridden by the interests and fundamental rights and freedoms of data subjects.”

Accordingly, the DPC concluded that LinkedIn did not have a legal basis for processing data. Processing personal data without an appropriate legal basis is a violation of the data subjects’ fundamental right to data protection.

Additionally, the DPC found that LinkedIn had infringed the principle of fairness outlined in article 5(1)(a) of the GDPR. It stipulates that personal data may not be processed in a way that is detrimental, discriminatory, unexpected or misleading to the data subject.

“The decision puts other controllers on notice that if they are undertaking behavioural analysis or targeted advertising, they have to have a very clear lawful basis that meets the requirements under data protection legislation,” Barden said. “They also need to ensure that their lawful basis is set out in its public-facing privacy notice. Controllers relying on vague lawful bases and notices, will not meet the DPC’s expectations.”

“The GDPR compliance points that are the focus of the DPC’s findings also reflect the need for controllers to properly consider ‘data protection by design’ in respect of their data processing activities” said Andreas Carney, a Dublin-based partner at Pinsent Masons. “The decision underlines the importance of reflecting on compliance requirements in the round and from the ground up.”

Before handing down the decision, the DPC had submitted a draft decision to the other GDPR enforcement authorities of the EU member states in July 2024, as required under article 60 of the GDPR. The other authorities did not object to the suggested fine and order.

The so-called ‘one stop shop’ mechanism under the GDPR is envisaged to allow businesses to deal with just one data protection authority (DPA) in relation to their EU operations, as opposed to DPAs across all EU member states.

The mechanism provides for one DPA to take a lead in investigating cross-border cases. However, it requires the lead authority to enter into dialogue with the other DPAs in the countries where data subjects have been impacted and makes provision for those other DPAs to input to the inquiries and to raise 'relevant and reasoned' objections against proposed decisions of the lead authority. The European Data Protection Board (EDPB) has the power to issue binding decisions in cases where the lead authority and objecting authorities cannot reach a consensus.

The Irish DPC is often in charge of leading on data protection investigations in the tech business, as most large digital businesses have their EU headquarters in Ireland. However, decisions proposed by the DPC have often been challenged by other national DPAs, usually for being too lenient.

“The DPC will likely be pleased that there were no objections to its draft decision from other supervisory authorities, after a run of criticism for its decisions in the last few years,” Barden said.