The Irish Data Protection Commission (DPC) fined LinkedIn €310 million for mishandling user data. This penalty ranks among the largest under the General Data Protection Regulation (GDPR). The fine follows a six-year investigation that began with a complaint about LinkedIn’s data practices.
On Thursday, the DPC ruled that LinkedIn failed to inform users about how their data was used for targeted advertising. The DPC found LinkedIn did not secure valid user consent and prioritized its own interests over users’ rights and freedoms.
Reprimand and Compliance Requirements
In addition to the fine, the DPC issued a formal reprimand and ordered LinkedIn to ensure GDPR compliance. Deputy Commissioner Graham Doyle stressed that lawful processing of personal data is essential to data protection law. He warned that processing data without a legal basis violates the rights of individuals.
The investigation began with a complaint filed in August 2018 by French digital rights group La Quadrature du Net. Since LinkedIn’s European headquarters are in Ireland, the DPC took responsibility for the case.
This case marks the sixth major GDPR fine. The largest so far was a €1.55 billion penalty against Meta, also imposed by the Irish DPC in 2023.
In response, LinkedIn stated, “The Irish Data Protection Commission (IDPC) has issued a final decision on 2018 claims about some of our advertising practices in the EU. While we believe we complied with GDPR, we are working to ensure our ad practices meet the IDPC’s requirements.”