On October 24th, 2024, the Irish DPA, the Data Protection Commission (DPC) published its decision to fine LinkedIn 310 million Euros for multiple violations of the GDPR, related to the processing of personal data for behavioural analysis and targeted advertising.
What are the key takeaways from this decision for those not working for large social media companies?
The GDPR violations: an overview
The DPC found that LinkedIn had breached articles 5, 6, 13, and 14.
Article 5(1)(a) – Fairness Principle
This principle applies to all data processing under the GDPR and consists of fairness, lawfulness, and transparency. If the latter two are not complied with, fairness cannot exist within the context of the data processing.
Article 6(1) – Lawfulness of Processing
LinkedIn did not have any valid lawful bases for the processing activity. LinkedIn had attempted to use the following as a lawful basis for processing:
- Consent (6(1)(a)): Consent was deemed insufficient on the grounds that the consent supplied was not freely given, sufficiently informed or specific, nor unambiguous.
- Legitimate interest (6(1)(f)): Legitimate interest was deemed insufficient because the rights and freedoms of the data subjects had overridden the interests of LinkedIn.
- Contractual necessity (6(1)(b)): A ground for finding contractual necessity insufficient was not published, however, it would be hard to argue the contractual necessity for LinkedIn to track behaviour and targeted advertising. Combined with the lack of transparency on LinkedIn’s part, it is clear to see why the DPC ruled this lawful basis insufficient.
Articles 13 and 14 – Transparency
LinkedIn did not inform the data subjects correctly on the lawful bases used (see above).
3 key Takeaways from the LinkedIn Fine
For many companies, fines for complex data processing such as that undertaken by large social media conglomerates may seem a non-issue. Nonetheless, there are various takeaways from this fine:
1) Identify a clear lawful basis for data processing
Companies should take care to use one, well-defined, lawful basis for their processing operation, especially ensuring that all conditions for that lawful basis are met.
2) Avoid Over-Reliance on Legitimate Interest as a Lawful Basis
Companies should guard against the temptation of declaring data processing where the lawful basis is unclear as ‘legitimate interest’. Although it is unclear now how LinkedIn argued its legitimate interest, companies should ensure that, when processing data under legitimate interest, a Legitimate Interest Assessment (LIA) is performed. A LIA should ensure that the rights and freedoms of the data subject are weighed against the companies’ interest.
3) Implement Privacy by Design and Default in New Processes
As part of their new operational processes, companies should consider privacy implications of the new data processing, and design their process accordingly (Privacy by design and default). The relevant privacy statement should also be updated with the new processing. A lawful basis can then be considered early in the design process.