Bad news for LinkedIn in Europe, where the Microsoft-owned social network has been reprimanded and fined €310 million for privacy violations related to its tracking ads business.
The administrative penalties, which are worth around $335 million at current exchange rates, have been issued by Ireland’s Data Protection Commission (DPC) under the European Union’s General Data Protection Regulation (GDPR). The regulator found a raft of breaches, including breaches to the lawfulness, fairness and transparency of its data processing in this area.
The GDPR requires that uses of people’s information have a proper legal basis. In this case, the justifications LinkedIn had relied upon to run its tracking ads business were found to be invalid. It also did not properly inform users about its uses of their information, per the DPC’s decision.
LinkedIn had sought to claim (variously) “consent”-, “legitimate interests”-, and “contractual necessity”-based legal bases for processing people’s information — when obtained directly and/or from third parties — to track and profile its users for behavioral advertising. However, the DPC found none were valid. LinkedIn also failed to comply with the GDPR principles of transparency and fairness.
Commenting in a statement, DPC deputy commissioner Graham Doyle said: “The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subjects’ fundamental right to data protection.”
The size of the sanction catapults the professional social network into a mid-table position in the top 10 biggest GDPR penalties on Big Tech. And while this is not the first time LinkedIn has been slapped for regional data protection violations, it is certainly its most significant sanction to date. (Albeit, the company was keen to flag that the size of the fine was less than the amount Microsoft set aside in an earlier 10-K disclosure alerting investors that it expected a sanction.)
The case against LinkedIn originated with a complaint in France in 2018 by the digital rights non-profit La Quadrature Du Net. The country’s data protection authority then passed the complaint to the DPC, on account of its role as lead oversight body for Microsoft’s GDPR compliance.
The DPC instigated a complaint-based investigation in August 2018 before finally going on to submit its draft decision to other interested data protection authorities almost a full six years later (in July 2024). After no objections were raised, the decision was finalized and the enforcement has now been made public.
As well as being fined, LinkedIn has been given three months to bring its European operations into compliance with the GDPR.
LinkedIn spokesman Jonny Wing pointed TechCrunch to a statement put out on the company’s press room regarding the sanction in which it wrote: “Today the Irish Data Protection Commission (IDPC) reached a final decision on claims from 2018 about some of our digital advertising efforts in the EU. While we believe we have been in compliance with the General Data Protection Regulation (GDPR), we are working to ensure our ad practices meet this decision by the IDPC’s deadline.”
This report was updated with a correction to the currency conversion of the DPC fine.
EU antitrust regulators on Friday (22 November) closed a four-year-long investigation into Apple's rules for competing e-book and audiobook
This week we tracked more than 95 tech funding deals worth over €2.5 billion, and over 15 exits, M&A transactions, rumours,
PARIS, Nov. 22, 2024 /PRNewswire/ -- Huawei hosted the 2024 "Europe Innovation Day" in Paris, an event where European tech leaders, busi
The twin challenges of tightening regulations and a lack of growth-stage investments are casting a long shadow over European artificial intelligence and deep te