LinkedIn has been fined $356 million in the EU for privacy breaches in its tracking ads

Bad news for LinkedIn in Europe, where the Microsoft-owned social network has been reprimanded and fined €310 million for privacy violations related to its tracking ad business.

The administrative penalties, price roughly $356 million at current exchange rates, were imposed by Ireland Data Protection Commission (DPC) in accordance with the European Union General Data Protection Regulation (GDPR). The regulator found a variety of violations, including those referring to beaches, legality, fairness and transparency of knowledge processing in this area.

The GDPR requires that the use of non-public data has an appropriate legal basis. In this case, the justifications that LinkedIn relied on for its tracking promoting business were found to be incorrect. According to the decision, DPC also did not adequately inform users about how their information was used.

LinkedIn has attempted to invoke (different) legal bases based on “consent”, “legitimate interests” and “contractual necessity” to process personal data – obtained directly and/or from third parties – in order to trace and profile users for promoting behavior. However, the DPC found that none of them were valid. LinkedIn also did not comply with the principles of transparency and honesty under the GDPR.

Commenting in a press release, DPC Deputy Commissioner Graham Doyle said: “The lawfulness of processing is a fundamental aspect of data protection law, and the processing of personal data without an appropriate legal basis constitutes a clear and serious breach of the fundamental right of data subjects to data protection.”

The size of the sanctions catapults the skilled social network into the middle of the top 10 largest GDPR fines imposed on Big Tech. And while this is not the first time LinkedIn has been fined for regional data breaches, it’s definitely the most important one so far. (Though the company was keen to indicate that the amount of the nice was lower than the amount Microsoft imposed in an earlier 10-K disclosure warning investors it expected sanctions).

The case against LinkedIn began with a grievance filed in France in 2018 by the digital rights nonprofit La Quadrature Du Net. The NPA then referred the grievance to the DPC as a result of its role as the lead supervisory authority for Microsoft’s GDPR compliance.

The DPC initiated a complaint-based investigation in August 2018, before finally submitting a draft decision to other interested data protection authorities almost six years later (July 2024). As no objections were raised, the decision was finalized and its implementation made public.

In addition to the nice, LinkedIn was given three months to adapt its operations in Europe to GDPR regulations.

LinkedIn spokesman Jonny Wing pointed TechCrunch to a press release posted on the company’s website press room on sanctions, in which he wrote: “Today, the Irish Data Protection Commission (IDPC) took a final decision on claims dating back to 2018 relating to some of our digital advertising activities in the EU. While we believe we have complied with the General Data Protection Regulation (GDPR), we are working to ensure that our advertising practices comply with this decision within the deadline set by the IDPC.”