The Irish data protection watchdog on Thursday fined LinkedIn €310 million ($335 million) for violating the privacy of its users by conducting behavioral analyses of personal data for targeted advertising.
“The inquiry examined LinkedIn’s processing of personal data for the purposes of behavioral analysis and targeted advertising of users who have created LinkedIn profiles (members),” the Data Protection Commission (DPC) said. “The decision […] concerns the lawfulness, fairness and transparency of this processing.”
The penalty has been issued under the European Union’s (E.U.) General Data Protection Regulation (GDPR), an information privacy law that establishes a framework for the collection, processing, storage, and transfer of personal data in the E.U. and the European Economic Area (EEA). It went into effect on May 25, 2018.
The probe, which was initiated following a complaint made to the French Data Protection Authority in 2018, found that LinkedIn infringed on three different GDPR principles concerning transparency and fairness: Article 6 GDPR and Article 5(1)(a), Articles 13(1)(c) and 14(1)(c), and Article 5(1)(a).
This includes not seeking users’ explicit consent or sufficiently informing them prior to processing third-party data of its members and using legitimate interests as a legal basis for processing first-party data for targeted advertising. In addition to the fine, LinkedIn has been given three months to bring its European operations into compliance with the GDPR.
The DPC said the consent obtained in a manner that complies with GDPR must be freely given, specific, informed, and an unambiguous indication of the data subject’s wishes. It also said the processing must be carried out in a fair and transparent manner.
“The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subject’s fundamental right to data protection,” DPC Deputy Commissioner Graham Doyle said in a statement.
Commenting on the development, the Microsoft-owned professional networking platform said “while we believe we have been in compliance with the General Data Protection Regulation (GDPR), we are working to ensure our ad practices meet this decision by the IDPC’s deadline.”
In related news, Austrian privacy non-profit noyb (short for None Of Your Business) filed a complaint with France’s data protection authority against social media company Pinterest for resorting to “legitimate interests” to track users’ activity by default to serve targeted ads without their consent.
“Instead of seeking opt-in consent under Article 6(1)(a) GDPR, it falsely claims to have a ‘legitimate interest’ in processing people’s personal data under Article 6(1)(f) GDPR,” noyb said. “Tracking is turned on by default and would require an objection (opt-out) by each user to stop.”
A Pinterest spokesperson told TechCrunch that its “approach to personalized advertising is GDPR compliant.”