Ireland’s Data Protection Commission has handed professional social network LinkedIn a €310 million fine today, stating that LinkedIn has violated Europe’s General Data Protection Regulation (GDPR) in its processing of personal data for behavioural analysis and ad targeting.
The ruling was based on a complaint raised back in 2018 by French privacy advocacy group La Quadrature Du Net, which claimed that LinkedIn was using personal data for advertising purposes without a proper legal basis for doing so. This filing was part of a spray and pray approach adopted by the group – it filed similar cases against Facebook, Google, Amazon, and Apple, publishing a template for its legal filings in order to encourage others to file their own cases.
The DPC has sided with the advocacy group. The data regulator says that LinkedIn has not had a legal basis for processing data, has not been transparent about how it uses data, and has been misleading towards users in terms of how it uses their data. Alongside the fine, LinkedIn has been ordered to change how it uses data in order to comply with GDPR.
“The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subject’s fundamental right to data protection,” said Graham Doyle, deputy commissioner at the DPC.
Illegitimate legitimate interest
GDRP provides a number of legal groundings for processing user consent. These include informed, specific, unambiguous and freely-given consent provided by individuals whose data is collected; ‘legitimate interest’, where a company can claim that processing of users’ data is essential, perhaps for a company or individual’s interests, or for a wider societal benefit; and contractual necessity.
Many businesses in the advertising sphere have used consent as their basis for data processing, but there’s been debate over what terms like ‘informed’, ‘unambiguous’, and ‘freely-given’ mean. One of La Quadrature Du Net’s complaints against big tech companies was that users are told to either consent to data processing or not use the service, which it argues doesn’t count as ‘freely-given’ consent.
The DPC’s ruling agrees that the consent obtained by LinkedIn falls short on pretty much all counts. Consent given by LinkedIn users “was not freely given, sufficiently informed or specific, or unambiguous”, according to a statement from the DPC.
The DPC further added that LinkedIn could not claim legitimate interest or a contractual basis as its basis for data processing either. The former is particularly interesting. Some in the industry have argued that since personal data plays such a big role in ad targeting and measurement, publishers and ad tech companies can claim legitimate interest. A recent ruling on a case against Meta gave backing to this argument.
But the DPC says that LinkedIn’s own interests in processing user data “were overridden by the interests and fundamental rights and freedoms of data subjects”, rendering legitimate interest invalid.
LinkedIn said today in a statement that disagrees that it hasn’t had a valid legal basis for its use of data. “While we believe we have been in compliance with the General Data Protection Regulation (GDPR), we are working to ensure our ad practices meet this decision by the IDPC’s deadline,” said a statement released by LinkedIn.