LinkedIn, a popular employment-based platform owned by Microsoft, has been fined $335 million for breaching data privacy.
The heavy penalty comes in response to what the Irish Data Protection Commission (DPC) has called “a clear and serious violation” of the right to data protection on the part of LinkedIn. An investigation was launched into LinkedIn’s targeted advertising practices after a complaint was lodged against the platform with the French Data Protection Authority.
The probe examined the processing of personal data for targeted and behavioural advertising for LinkedIn users. The DPC’s conclusion of the investigation “concerns the lawfulness, fairness and transparency of this processing”. The platform has been ordered to bring its data processing practices into compliance with the EU’s stringent data protection law — the General Data Protection Regulation (GDPR).
In response, LinkedIn has said that the platform is working to ensure compliance with the bloc’s data protection regulations. “While we believe we have been in compliance with the General Data Protection Regulation (GDPR), we are working to ensure our ad practices meet this decision by the IDPC’s deadline,” LinkedIn said in a brief statement.
The DPC’s verdict states that LinkedIn failed to obtain “sufficiently informed or specific, or unambiguous” consent from its members (users) while processing their third-party data for such purposes as behavioural analysis and targeted advertising. In addition, LinkedIn did not justify “legitimate interests” as laid out in the GDPR “for its processing of first party personal data of its members for behavioural analysis and targeted advertising, or third party data for analytics”.
Thirdly, LinkedIn did not abide by “contractual necessity” to process first-party data of users for the purpose of behavioural analysis and targeted advertising, according to the official statement by the DPC. “The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subject’s fundamental right to data protection,” DPC Deputy Commissioner Graham Doyle remarked.
Earlier in June, LinkedIn discontinued its targeted advertising tool in the EU to comply with the Digital Services Act (DSA). The tool collected data of users for personalised advertisements. The platform stated it had disabled the tool to “prevent any misconception that ads to European members could be indirectly targeted based on special categories of data or related profiling categories”.