Privacy & Cybersecurity Law Blog

On October 24, 2024, the Irish Data Protection Commission (the “DPC”) announced that it had issued a fine of €310 million (approx. $335 million) against LinkedIn Ireland Unlimited Company (“LinkedIn”) for breaches of the EU General Data Protection Regulation (“GDPR”) related to transparency, fairness and lawfulness in the context of the company’s processing of its users’ personal data for behavioral analysis and targeted advertising. In addition to the fine, the DPC also issued a reprimand and an order to bring processing into compliance.  

Specifically, the DPC considered that LinkedIn’s practices:

• breached the rules on legal bases under Article 6 of the GDPR and the sub-principle of lawfulness under Article 5(1)(a) of the GDPR as LinkedIn: (1) relied on invalid consent to process third party data of its members for behavioral analysis and targeted advertising; and (2) relied unlawfully on legitimate interests and contractual necessity for its processing of first party personal data of its members for behavioral analysis and targeted advertising;
• breached the sub-principle of fairness under Article 5(1)(a) of the GDPR; and
• breached the rules on provision of information under Articles 13 and 14 of the GDPR.

Before being finalized by the DPC, this decision was submitted to the remaining concerned supervisory authorities in the EU under Article 60 of the GDPR. The remaining supervisory authorities did not raise any objections to the DPC’s decision. 

Read the Press Release.