Irish Watchdog Imposes Record €310 Million Fine on LinkedIn for GDPR Violations

LinkedIn was fined €310 million ($335 million) by the Irish data protection authorities on Thursday for violating user privacy by using behavioral analysis of personal data to target advertisements.

Irish Watchdog Imposes Record €310 Million Fine on LinkedIn for GDPR Violations
LinkedIn was fined €310 million ($335 million) by the Irish data protection authorities on Thursday for violating user privacy by using behavioral analysis of personal data to target advertisements. "The inquiry examined LinkedIn's processing of personal data for behavioral analysis and targeted advertising of users who have created LinkedIn profiles (members)," said the Data Protection Commission (DPC). "The decision [...] concerns the lawfulness, fairness, and transparency of this processing."
The fine was imposed following the General Data Protection Regulation (GDPR) of the European Union (E.U.), a privacy law that creates guidelines for the gathering, handling, storing, and sharing of personal data inside the E.U. and the European Economic Area (EEA). It becomes operative on May 25, 2018. The investigation, which was started after a complaint was filed with the French Data Protection Authority in 2018, discovered that LinkedIn violated three distinct GDPR principles related to fairness and transparency: Article 5(1)(a), Article 13(1)(c) and 14(1)(c), and Article 6 GDPR.
This includes utilizing legitimate interests as a legal justification for processing first-party data for targeted advertising and failing to get users' express consent or provide them with adequate notice before processing third-party data of its members. Along with the fine, LinkedIn has been given three months to comply with the GDPR in its European operations. According to the DPC, consent acquired in a way that conforms with GDPR must be freely provided, explicit, informed, and provide a clear indication of the data subject's wishes. It also said the processing must be carried out fairly and transparently.
"The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subject's fundamental right to data protection," Graham Doyle, Deputy Commissioner of the DPC, said in a statement. "While we believe we have complied with the General Data Protection Regulation (GDPR), we are working to ensure our ad practices meet this decision by the IDPC's deadline," the Microsoft-owned professional networking site said in response to the news.
In similar news, social networking platform Pinterest was the target of a complaint by Austrian privacy non-profit Noyb (short for None Of Your Business) to France's data protection regulator for using "legitimate interests" to automatically track user behavior. "Instead of seeking opt-in consent under Article 6(1)(a) GDPR, it falsely claims to have a 'legitimate interest' in processing people's data under Article 6(1)(f) GDPR," noyb stated. "Tracking is turned on by default and would require an objection (opt-out) by each user to stop."
TechCrunch was informed by a representative of Pinterest that the company's "approach to personalized advertising is GDPR compliant."