Irish DPC fines LinkedIn €310m for behavioural analysis and targeted advertising breaches

The question

How certain do data controllers need to be of their lawful basis for processing personal data when engaging in behavioural analysis and targeted advertising, and how clearly must this be reflected in a privacy policy?

The key takeaway

LinkedIn failed to demonstrate a clear lawful basis for undertaking behavioural analysis and targeted advertising when using personal data of its members which it had collected itself directly and from its third party partners. The Irish Data Protection Commission’s (DPC) decision is a reminder of the key data protection principles required for these activities, including transparency and fairness and the need to communicate the lawful basis clearly to users in a privacy policy.

The background

A complaint about the lawfulness of LinkedIn’s personal data processing was initially made in May 2018 to the French data protection authority. The complainant, a French non-profit organisation named La Quadrature Du Net, also filed four other complaints of a similar nature against Google, Apple, Facebook and Amazon. An inquiry was subsequently launched by the DPC as LinkedIn’s lead supervisory authority in the EU. The DPC examined LinkedIn’s use of personal data for behavioural analysis of, and targeted advertising to, users with LinkedIn profiles, ultimately finding several issues from an EU GDPR perspective. The DPC published a draft enforcement decision in July 2024, which did not face any objections. This was followed by the DPC’s final decision on 22 October 2024.

The development

The DPC’s decision noted three infringements of the EU GDPR, specifically finding breaches of the following provisions:

• lawful basis for processing (Article 6 EU GDPR): LinkedIn was not able to successfully establish any of the six ways that data processing can be considered lawful under the EU GDPR. In particular, the DPC found that LinkedIn did not obtain “sufficiently informed” consent to use this as the lawful basis to process users’ third-party data for the purpose of behavioural analysis and targeted advertising. The DPC found that it was also not possible for LinkedIn to rely on the lawful bases related to contractual necessity and legitimate interests
• transparency (Articles 13 and 14 EU GDPR): LinkedIn did not give the necessary information about the personal data collected, and not collected, to data subjects, in relation to the details of the lawful basis for processing that were set out in its privacy notices
• fair processing (Article 5(1)(a) EU GDPR): by failing to establish a lawful basis and to set that basis out in its privacy notice, the DPC found that LinkedIn breached the principle of fairness in relation to its data subjects. This prohibits the processing of data in a way that is detrimental, discriminatory, unexpected or misleading to the individual.

As a result of these findings, LinkedIn received a €310m fine, a reprimand from the DPC and an order to bring its processing into compliance with the EU GDPR within three months. The full decision is still to be published by the DPC, and in response LinkedIn has said that it would ‘consider its options to appeal’.

Why is this important?

The decision is a reminder of the approach taken by European data protection regulators to processing for online advertising purposes, including their appetite for fining levels where there has been a breach. The action also reflects how one breach of the EU GDPR (in this case lawful basis) can have a knock-on effect for compliance in other areas (transparency and fairness). The sanctions imposed and the DPC’s reasoning are particularly relevant to technology and other companies with their EU bases in Ireland, as the DPC is likely to be the lead supervisory authority for any such organisation.

Any practical tips?

When processing users’ data, businesses should ensure that they comply with applicable data protection laws including the EU GDPR. When processing individuals’ personal data for targeted advertising purposes, it is important that those users receive sufficiently clear information about what their data will be used for. Any targeted advertising programme should also be designed with privacy in mind and with a clear lawful basis for processing, that can be set out in the relevant privacy notice.

Winter 2024