Ireland’s data protection authority fined LinkedIn 310 million euros ($335 million) on Thursday for violating the privacy of its users by conducting behavioral analysis of personal data to target advertising.
“The investigation examined LinkedIn’s processing of personal data for the purposes of behavioral analysis and targeted advertising of users who have created LinkedIn profiles (members),” Data Protection Commission (DPC) said. “The decision (…) concerns the legality, fairness and transparency of this processing.”
The fine was imposed in accordance with the European Union (EU) General Data Protection Regulation (GDPR), an information privacy law that establishes the framework for the collection, processing, storage and transfer of personal data in the EU and the European Economic Area (EEA). It entered into force on May 25, 2018.
The investigation, which was launched following a complaint filed with the French Data Protection Authority in 2018, found that LinkedIn violated three different GDPR principles related to transparency and fairness: Article 6 GDPR and Article 5(1)(a), Article 13 (1). )(c) and 14(1)(c) and Article 5(1)(a).
This includes failing to obtain express consent from users or provide them with sufficient information before processing third-party member data and using legitimate interests as a legal basis for processing own data for targeted advertising. In addition to the fine, LinkedIn was given three months to bring its European operations into compliance with the GDPR.
The DPC said that consent obtained under the GDPR must be free, specific, informed and an unambiguous indication of the data subject’s wishes. It also states that processing must be done fairly and transparently.
“The lawfulness of processing is a fundamental aspect of data protection law and processing personal data without an appropriate legal basis is a clear and serious breach of a data subject’s fundamental right to data protection,” DPC Deputy Commissioner Graham Doyle said in a statement . .
Commenting on the development, a professional networking platform owned by Microsoft said “While we believe we are compliant with the General Data Protection Regulation (GDPR), we are working to bring our advertising practices into compliance by the IDPC deadline.”
In related news, Austrian nonprofit Noyb (short for None Of Your Business) has filed a complaint with the French data protection authority against social media company Pinterest for using “legitimate interests” to track users’ default actions to serve targeted ads without their consent.
“Instead of obtaining consent to participate in accordance with Article 6(1)(a) GDPR, it falsely claims that it has a ‘legitimate interest’ in the processing of people’s personal data in accordance with Article 6(1)(f) GDPR” , – noib said. “Tracking is enabled by default and requires an objection (opt-out) from each user to stop it.”
Pinterest representative told TechCrunch that its “approach to personalized advertising is GDPR compliant”.
