Irish DPC Fines LinkedIn Ireland €310 Million for GDPR Violations

The Irish Data Protection Commission (DPC) announced a €310 million fine for LinkedIn Ireland, marking a significant ruling on data privacy practices, on October 24, 2024. Microsoft social networking subsidiary LinkedIn has been fined for violating Articles 5 and 6 of GDPR: processing personal data in manner that was neither “informed”, nor “freely given”.

The decision concluded an investigation that began in 2018 following a complaint from the French non-profit La Quadrature Du Net, referred to the DPC through France’s Data Protection Authority. The inquiry focused on LinkedIn’s handling of users’ personal data for behavioural analysis and targeted advertising, with scrutiny over the lawfulness, fairness, and transparency of LinkedIn’s practices.

The DPC’s findings indicated that LinkedIn had not secured valid consent under GDPR, nor adequately justified its reliance on other legal bases—such as legitimate interests or contractual necessity—for processing personal data. Additionally, LinkedIn’s data practices lacked fairness, a foundational GDPR principle, as users were often left uninformed about the extent and implications of data usage, which compromised their control over personal information.

Corrective actions under the DPC’s decision include a formal reprimand, €310 million in administrative fines, and a mandate for LinkedIn to align its data processing with GDPR standards. The ruling is backed by Article 58 of GDPR, which allows authorities to issue fines and enforce compliance.

The decision has received support from EU supervisory bodies and was issued following extensive GDPR cooperation with EU/EEA counterparts. DPC Deputy Commissioner Graham Doyle highlighted the ruling’s significance, noting that processing personal data without an appropriate legal basis is a clear violation of individual rights. The full decision will be made publicly available in the coming weeks, outlining all regulatory findings.