LinkedIn – €310,000,000 Fine (Ireland, 2024)

On the 20 August 2018, the French non-profit organisation “La Quadrature du Net” filed a complaint against LinkedIn for intransparent data processing. The complaint had initially been made to the French DPA (CNIL) and was later taken over by the Irish DPA (DPC) as the lead supervisory authority for LinkedIn. The inquiry analysed LinkedIn’s processing of personal data for the purposes of behavioural analysis and targeted advertising to its users. It focussed on the obligation to provide information to data subjects and whether LinkedIn could rely on a legal basis for under Article 6 GDPR for this processing. In a press realease, the DPC highlighted that LinkedIn had breached the overarching principles of fairness and transparency (Article 5(1)(a) GDPR) all throughout the course of the processing. The inquiry found that none of the legal basis invoked by LinkedIn justified the data processing at hand. Specifically, the consent of the LinkedIn users to this processing had not been freely given, sufficiently informed, specific or unambiguous. Further, LinkedIn’s legitimate interests were overridden by the interests and fundamental rights and freedoms of data subjects and LinkedIn could not rely on contractual necessity for the processing. In addition, the inquiry showed that the information provided to data subjects by LinkedIn regarding the lawful basis it claimed to rely on, namely Article 6(1)(a), 6(1)(b) and 6(1)(f) GDPR was insufficient. The DPC held that LinkedIn could not rely on consent under Article 6(1)(a) GDPR, legitimate interests under Article 6(1)(f) GDPR nor contractual necessity under Article 6(1)(b) GDPR for its processing. In addition to Article 5(1)(a) GDPR, the DPC held that the information provided to data subjects violated Articles 13(1)(c) and 14(1)(c) GDPR. Made up of three administrative fines, the DPC fined LinkedIn with a total of €310,000,000 for infringements of Articles 5(1)(a), 6(1)(a), 6(1)(f), 6(1)(b), 13(1)(c) and 14(1)(c) GDPR.