The Irish Data Protection Commission (DPC) has fined LinkedIn €310 million following an inquiry into the platform’s handling of personal data for behavioral analysis and targeted advertising.
The investigation, initiated after a complaint from the French Data Protection Authority, revealed serious violations of the General Data Protection Regulation (GDPR) by LinkedIn, including unlawful data processing practices and failure to obtain valid user consent.
The DPC determined that LinkedIn breached GDPR’s transparency and lawfulness requirements by processing users’ data without adequate consent and using it for targeted advertising under claims of “legitimate interest.”
The platform also improperly relied on contractual necessity to justify data processing for behavioral analysis, which was found unnecessary for fulfilling user contracts. LinkedIn has been ordered to reform its data processing practices to ensure compliance with GDPR.
Graham Doyle, Deputy Commissioner of the DPC, stressed the importance of lawful data processing in protecting users’ rights, underscoring that LinkedIn’s violations represented a serious breach of individuals’ fundamental right to data protection.
This ruling follows a growing trend of regulatory action against tech companies. In July 2024, Nigeria’s Federal Competition and Consumer Protection Commission (FCCPC) and the Nigeria Data Protection Commission (NDPC) fined Meta Platforms $220 million after investigating privacy breaches involving Nigerian users’ data.