The Irish Data Protection Commissioner (DPC) has fined Microsoft €310 million (approximately $335 million) for violations related to targeted advertising practices on LinkedIn.
The DPC stated that LinkedIn processed personal data without a legal basis, which is a serious infringement of individuals’ rights to data protection.
This decision follows a complaint made by the French non-profit organisation, La Quadrature Du Net.
DPC Deputy Commissioner Graham Doyle said: “The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subject’s fundamental right to data protection.”
As the EU’s lead privacy regulator for major U.S. internet companies, the DPC oversees compliance with data protection laws in the region.
Here are the highlights of the reasons for the fine:
Lack of Valid Consent: LinkedIn failed to obtain valid consent (Article 6(1)(a) GDPR) for processing third-party data of its members for behavioral analysis and targeted advertising. The consent was deemed not freely given, specific, informed, or unambiguous.
Overridden Legitimate Interests: The company did not adequately justify its reliance on legitimate interests (Article 6(1)(f) GDPR) for processing personal data. LinkedIn’s interests were found to be overridden by the fundamental rights and freedoms of data subjects.
Contractual Necessity Issues: LinkedIn improperly relied on contractual necessity (Article 6(1)(b) GDPR) for processing first-party data for behavioral analysis and targeted advertising, which was not justified.
Insufficient Information Provided: LinkedIn failed to provide adequate information to data subjects regarding its legal bases for processing under Articles 13(1)(c) and 14(1)(c) GDPR.
Violation of Fairness Principle: The processing was found to violate the principle of fairness (Article 5(1)(a) GDPR), which requires data to be processed in a way that is fair, non-discriminatory, and not misleading to data subjects.
Impact on Data Subject Rights: The violations impacted the autonomy and rights of data subjects, making it difficult for them to exercise their rights under GDPR.
Transparency Concerns: The decision highlighted issues with transparency, which is essential for ensuring that data subjects are fully informed about how their personal data is being processed.
Microsoft had previously anticipated a fine of around $425 million from the DPC, indicating awareness of potential legal challenges. LinkedIn has over 1 billion users in more than 200 countries. LinkedIn has over 227 million users in Europe, according to industry reports.
In its statement, LinkedIn expressed its belief in compliance with the General Data Protection Regulation (GDPR) but is committed to aligning its advertising practices with the DPC’s requirements by the specified deadline, Reuters news report said.
