LinkedIn’s €310 Million Wake-Up Call: A Landmark Ruling on Fairness, Transparency, and Consent

On 24th October 2024, the Irish Data Protection Commission (DPC), imposed a €310 million fine on LinkedIn, marking the conclusion of an extensive investigation into LinkedIn’s compliance with the GDPR. This inquiry, initiated from a 2018 complaint by the French non-profit La Quadrature Du Net (filed initially with the French Data Protection Commission), was later transferred to the DPC, as LinkedIn’s lead supervisory authority The investigation focused on LinkedIn’s use of personal data of its users for behavioural analysis and targeted advertising, examining whether LinkedIn’s practices adhered to the core GDPR principles of lawfulness, fairness, and transparency.

Key GDPR Violations

  1. Breach of Lawfulness, Fairness and Transparency (Article 5(1)(a))

Under Article 5(1)(a) GDPR, personal data must be processed in a lawful, fair, and transparent manner. In the present case, the DPC found LinkedIn’s data processing activities to be violative of these principles in several ways. LinkedIn’s lack of a valid legal basis for data processing breached ‘lawfulness,’ while the insufficient and unclear information provided to users about data usage violated ‘transparency.’ Furthermore, LinkedIn’s processing practices did not meet the standard of ‘fairness’ to data subjects, potentially misleading or disadvantaging users, which undermined their basic rights under GDPR.

  • Invalid Legal Basis for Processing (Article 6)

Under the GDPR, personal data processing must rely on one of the legal grounds specified in Article 6(1). Depending on the chosen lawful basis, certain conditions apply. For instance, any consent gathered must meet GDPR standards, being freely given, specific, informed, and clearly indicating the data subject’s intention to give consent. LinkedIn had claimed that the processing of personal data for the purpose of behavioural advertising was based on ‘Consent,’ ‘Legitimate Interest, and ‘Contractual Necessity.’ The DPC however, found that LinkedIn had not validly relied on any of the abovementioned legal basis in accordance with GDPR.

  • Failure in Ensuring Transparency (Articles 13(1)© and 14(1)©)

Transparency is equally essential in data protection, providing data subjects with control over how their personal data is processed. By adhering to transparency requirements, controllers ensure that data subjects are adequately informed of the scope and impact of data processing in advance, empowering them to exercise their rights fully. Articles 13(1)© and 14(1)© of the GDPR outline essential transparency requirements, obliging data controllers to inform data subjects about the purpose and legal basis for processing their data at the point of collection. The DPC was of the opinion that the information provided by LinkedIn to its users regarding its data processing activities was inadequate and did not fulfil the requirements of Articles 13(1)© and 14(1)©, preventing users from fully understanding the scope and consequences of LinkedIn’s data processing practices.

Want to know more about newsletter > LinkedIn’s €310 Million Wake-Up Call:A Landmark Ruling on Fairness, Transparency, and Consent