On 24th October 2024, the Irish Data Protection Commission (DPC), imposed a €310 million fine on LinkedIn, marking the conclusion of an extensive investigation into LinkedIn’s compliance with the GDPR. This inquiry, initiated from a 2018 complaint by the French non-profit La Quadrature Du Net (filed initially with the French Data Protection Commission), was later transferred to the DPC, as LinkedIn’s lead supervisory authority The investigation focused on LinkedIn’s use of personal data of its users for behavioural analysis and targeted advertising, examining whether LinkedIn’s practices adhered to the core GDPR principles of lawfulness, fairness, and transparency.
Key GDPR Violations
- Breach of Lawfulness, Fairness and Transparency (Article 5(1)(a))
Under Article 5(1)(a) GDPR, personal data must be processed in a lawful, fair, and transparent manner. In the present case, the DPC found LinkedIn’s data processing activities to be violative of these principles in several ways. LinkedIn’s lack of a valid legal basis for data processing breached ‘lawfulness,’ while the insufficient and unclear information provided to users about data usage violated ‘transparency.’ Furthermore, LinkedIn’s processing practices did not meet the standard of ‘fairness’ to data subjects, potentially misleading or disadvantaging users, which undermined their basic rights under GDPR.
- Invalid Legal Basis for Processing (Article 6)
Under the GDPR, personal data processing must rely on one of the legal grounds specified in Article 6(1). Depending on the chosen lawful basis, certain conditions apply. For instance, any consent gathered must meet GDPR standards, being freely given, specific, informed, and clearly indicating the data subject’s intention to give consent. LinkedIn had claimed that the processing of personal data for the purpose of behavioural advertising was based on ‘Consent,’ ‘Legitimate Interest, and ‘Contractual Necessity.’ The DPC however, found that LinkedIn had not validly relied on any of the abovementioned legal basis in accordance with GDPR.
- Failure in Ensuring Transparency (Articles 13(1)(c) and 14(1)(c))
Transparency is equally essential in data protection, providing data subjects with control over how their personal data is processed. By adhering to transparency requirements, controllers ensure that data subjects are adequately informed of the scope and impact of data processing in advance, empowering them to exercise their rights fully. Articles 13(1)(c) and 14(1)(c) of the GDPR outline essential transparency requirements, obliging data controllers to inform data subjects about the purpose and legal basis for processing their data at the point of collection. The DPC was of the opinion that the information provided by LinkedIn to its users regarding its data processing activities was inadequate and did not fulfil the requirements of Articles 13(1)(c) and 14(1)(c), preventing users from fully understanding the scope and consequences of LinkedIn’s data processing practices.
Penalties and Corrective Actions
In response to these violations, the DPC exercised the following corrective measures and penalties:
- Official Reprimand: The DPC issued an official reprimand under Article 58(2)(b) to address LinkedIn’s failure to comply with GDPR.
- Administrative Fines: Based on Articles 58(2)(i) and 83 GDPR, three fines totalling €310 million were imposed against LinkedIn.
- Compliance Order: LinkedIn was ordered to bring its data processing practices into compliance with GDPR under Article 58(2)(d). A three-month period has been given to LinkedIn for the same.
Conclusion
The DPC’s decision demonstrates the stringent enforcement of GDPR’s foundational principles of lawfulness, fairness, and transparency. The severe financial penalty, combined with the compliance order, serves as a clear message to organisations across the EU and the world at large about the importance of lawful data practices. This case highlights GDPR’s rigorous standards for valid consent, lawful processing, and transparent communication with data subjects, highlighting its role in safeguarding individual rights and promoting responsible data governance across the EU.
If you’re an organization dealing with copious amounts of data, do visit www.tsaaro.com.
Read our blog on Understanding Uber’s €290 million Fine for GDPR Violation
News of the Week
1. Italy’s Data Protection Authority Raises Concerns Over Intesa Sanpaolo Data Breach Impact
Italy’s data protection authority has expressed concerns over Intesa Sanpaolo’s handling of a recent data breach, noting that the bank may have underestimated the severity of the incident, which reportedly affected thousands of clients, including Prime Minister Giorgia Meloni. Last month, the authority requested the bank to clarify the circumstances surrounding an employee’s unauthorized access to the personal information of approximately 3,500 customers. In response, Intesa stated that further investigation revealed a significantly lower number of clients were impacted than initially reported by the media.
2. UK Orders China-Registered Firm to Divest Majority Stake in Scottish Chip Company Over Security Concerns
On Wednesday, the British government mandated that China-registered Future Technology Devices International Holding Ltd divest 80.2% of its stake in Scottish semiconductor firm FTDI, citing national security risks. According to the government’s statement, the order requires FTIDHL to complete the sale within a set timeframe and through a specified procedure. The UK expressed concerns that the semiconductor technology and intellectual property developed domestically could potentially be misused in ways that threaten national security.
3. South Korea Fines Meta $15.67 Million Over Major Data Privacy Violations
South Korea’s Personal Information Protection Commission (PIPC) fined Meta Platforms $15.67 million for breaching the Personal Information Protection Act by collecting sensitive data from nearly 980,000 users and sharing it with 4,000 advertisers without consent. Meta’s practices, including collecting data on political and religious views, were deemed insufficiently transparent. Additionally, PIPC noted Meta’s refusal to grant user access to personal data and security lapses that led to a data breach. The ruling reinforces a global trend of stringent data privacy enforcement, with PIPC requiring Meta to strengthen data protections and adhere to user access rights.
4. Amazon Seeks Dismissal of Lawsuit Alleging Unauthorized Alexa Recordings
Amazon has requested a U.S. judge to dismiss a multibillion-dollar lawsuit alleging that its cloud-based voice service, Alexa, unlawfully recorded private conversations without user consent. In a filing on Wednesday in Seattle’s federal court, Amazon argued that, despite years of litigation, consumers had not demonstrated that the company engaged in unfair or deceptive practices.
5. Brazilian Consumer Group Sues Social Media Giants Over Minor Protection Measures
The Collective Defense Institute, a Brazilian consumer rights organization, has initiated two lawsuits seeking 3 billion reais (equivalent to $525.27 million) from the Brazilian subsidiaries of TikTok, Kwai, and Meta Platforms. The lawsuits allege that these companies have not implemented adequate safeguards to restrict unrestricted access to their platforms by minors. This case highlights the growing focus on social media regulation in Brazil, particularly following a recent high-profile dispute between Elon Musk’s X and a Brazilian Supreme Court justice, which led to substantial fines.