"Processing of personal data without an appropriate legal basis is a clear and serious violation," says EU as it fines LinkedIn $334 million for violating GDPR

LinkedIn logo at a tech conference
LinkedIn faces a €310 million ($334 million) fine for violating GDPR data protection laws. (Image credit: Future)

What you need to know

  • Microsoft-owned LinkedIn faces a €310 million ($334 million) fine by the European Union for violating data processing laws.
  • The GDPR violations fall under Article 5 and Article 6, which require personal data to be handled in a lawful manner that protects people's privacy.
  • The decision results in LinkedIn receiving a reprimand, a fine of €310 million ($334 million), and an order to the company to bring data processing into compliance.

LinkedIn received a €310 million ($334 million) fine from the European Union (EU) for violating data protection laws. Alongside that fine, the Microsoft-owned LinkedIn received a reprimand and an order to bring data processing into compliance. The inquiry that resulted in a fine and other forms of punishment centered around LinkedIn's processing of personal data "for the purposes of [behavioral] analysis and targeted advertising of users who have created LinkedIn profiles."

Commissioners for Data Protection, Dr Des Hogan and Dale Sunderland notified LinkedIn of the decision this week.

“The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subjects’ fundamental right to data protection," said DPC Deputy Commissioner Graham Doyle.

Specifically, the decision notes the following infringements of GDPR:

  • Article 6 GDPR and Article 5 GDPR, insofar as it requires the processing of personal data to be lawful, as LinkedIn:
  • Did not validly rely on Article 6 GDPR (consent) to process third party data of its members for the purpose of [behavioral] analysis and targeted advertising on the basis that the consent obtained by LinkedIn was not freely given, sufficiently informed or specific, or unambiguous.
  • Did not validly rely on Article 6 GDPR (legitimate interests) for its processing of first party personal data of its members for [behavioral] analysis and targeted advertising, or third party data for analytics, as LinkedIn’s interests were overridden by the interests and fundamental rights and freedoms of data subjects.
  • Did not validly rely on Article 6 GDPR (contractual necessity) to process first party data of its members for the purpose of [behavioral] analysis and targeted advertising.
  • Articles 13 and 14 GDPR, in respect of the information LinkedIn provided to data subjects regarding its reliance on Article 6(1)(a), Article 6(1)(b) and Article 6(1)(f) GDPR as lawful bases.
  • Article 5 GDPR, the principle of fairness.

In layman's terms, LinkedIn did not get consent from its users to use data for advertising and analyzing customer behavior. Additionally, LinkedIn did not show a legitimate interest or need to gather and process the customer data in the way it did.

This week's decision by the EU follows a complaint made in August 2018 by French non-profit organisation, La Quadrature Du Ne. The complaint was first looked at by the French Data Protection Authority before the DPC took a look.

🎃The best early Black Friday deals🦃

TOPICS
Sean Endicott
News Writer and apps editor

Sean Endicott is a tech journalist at Windows Central, specializing in Windows, Microsoft software, AI, and PCs. He's covered major launches, from Windows 10 and 11 to the rise of AI tools like ChatGPT. Sean's journey began with the Lumia 740, leading to strong ties with app developers. Outside writing, he coaches American football, utilizing Microsoft services to manage his team. He studied broadcast journalism at Nottingham Trent University and is active on X @SeanEndicott_ and Threads @sean_endicott_. 

  • Arun Topez
    Are we even surprised? This is the way the new Microsoft. They could care less about ethics and consent. They only care about gathering and using user data, do what they want with it, and then ask forgiveness (or pay fines) afterwards.
    Reply