LinkedIn has been fined €310 million ($335 million) by Ireland’s Data Protection Commission (DPC) for improperly using members’ personal data in targeted advertising, a violation of the European Union’s General Data Protection Regulation (GDPR).
This penalty, one of the most significant against Big Tech under GDPR, is tied to LinkedIn’s failure to obtain proper legal consent or provide a legitimate basis for analyzing user data to serve behavioral ads.
Background of the GDPR Investigation
The DPC, responsible for overseeing LinkedIn’s data protection compliance in Europe due to the company’s Irish headquarters, found LinkedIn’s practices lacked necessary transparency and fairness. In particular, the regulator determined that LinkedIn violated GDPR rules by processing users’ data without clear, lawful grounds.
LinkedIn attempted to justify its practices by citing “consent,” “legitimate interests,” and “contractual necessity” as legal bases. However, the DPC concluded these reasons were invalid for the types of data processing LinkedIn carried out, both directly and through third parties, to serve targeted ads.
This investigation began in 2018 after the French digital rights group, La Quadrature Du Net, filed a complaint. Initially directed to the French Data Protection Authority, the case was later transferred to the DPC due to LinkedIn’s regional base in Ireland. The DPC launched its own inquiry into LinkedIn’s operations in August 2018 and, after years of deliberation, presented its draft decision to other EU data protection authorities in July 2024. No objections were raised, leading to the final ruling and public disclosure of the fine.
The DPC Deputy Commissioner, Graham Doyle, commented on the severity of LinkedIn’s GDPR breach, stating, “The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subjects’ fundamental right to data protection.”
Beyond the financial penalty, LinkedIn is required to bring its data processing methods into full compliance with GDPR within the next three months. This mandate reflects the DPC’s demand for improved transparency and adherence to data protection standards.
This fine, while LinkedIn’s largest to date, was anticipated by its parent company, Microsoft. Microsoft had already notified investors of a potential financial impact, setting aside funds to account for a possible penalty. In response to the ruling, LinkedIn spokesperson Jonny Wing noted in a statement that while the company believes it was in compliance, it will adjust its advertising practices to meet the DPC’s requirements by the specified deadline.
