LinkedIn fined $356 million in EU for tracking ad privacy violations

Bad news for LinkedIn in Europe where the Microsoft-owned social network has been reprimanded and fined 310 million euros for privacy violations linked to its ad tracking activity.

The administrative penalties, amounting to approximately $356 million at current exchange rates, were issued by the Irish Data Protection Commission (DPC) under the Irish General Data Protection Regulation (GDPR). European Union. The regulator noted a series of breaches, including attacks on the lawfulness, fairness and transparency of its data processing in this area.

The GDPR requires that uses of personal information have an appropriate legal basis. In this case, the rationales LinkedIn relied on to manage its tracking ads business were found to be invalid. It also failed to properly inform users of its use of their information, in accordance with the DPC’s decision.

LinkedIn had sought to claim (in various ways) legal bases based on “consent”, “legitimate interests” and “contractual necessity” for processing people’s information – when obtained directly and/or from third parties – in order to track and profile its users for behavioral purposes. advertisement. However, the DPC found no validity. LinkedIn also failed to comply with the GDPR principles of transparency and fairness.

Commenting in a statement, Deputy Commissioner of the DPC, Graham Doyle, said: “The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis constitutes a clear and serious breach. of the fundamental right of data subjects to data protection. »

The scale of the sanction catapults the professional social network into a middle position in the top 10 of the biggest GDPR sanctions imposed on Big Tech. And while this isn’t the first time LinkedIn has come under fire for regional data protection violations, it’s certainly the most significant penalty yet. (However, the company wanted to point out that the fine amount was less than the amount Microsoft set aside in a previous 10-K disclosure alerting investors that it expected a penalty.)

The case against LinkedIn originated in a complaint filed in France in 2018 by the digital rights association La Quadrature Du Net. The national data protection authority then referred the complaint to the DPC, due to its role as the lead monitoring body for Microsoft’s GDPR compliance.

The DPC opened an investigation into the complaint in August 2018 before finally submitting its draft decision to other interested data protection authorities almost six years later (in July 2024). As no objections were raised, the decision was finalized and the execution was made public.

In addition to a fine, LinkedIn has three months to bring its European operations into compliance with the GDPR.

LinkedIn spokesperson Jonny Wing pointed TechCrunch to a statement published in the company’s newsroom regarding the sanction in which he wrote: “Today, the Irish Data Protection Commission (IDPC) has made a final decision on 2018 complaints regarding certain of our digital advertising efforts in the EU. Although we believe we have complied with the General Data Protection Regulation (GDPR), we strive to ensure that our advertising practices comply with this decision by the deadline set by the IDPC.