The administrative penalties, which are worth around $335 million at current exchange rates, have been issued by Ireland’s Data Protection Commission (DPC) under the European Union’s General Data Protection Regulation (GDPR). The regulator found a raft of breaches, including beaches to the lawfulness, fairness and transparency of its data processing in this area.
The GDPR requires that uses of people’s information have a proper legal basis. In this case, the justifications LinkedIn had relied upon to run its tracking ads business were found to be invalid. It also did not properly inform users about its uses of their information, per the DPC’s decision.
LinkedIn had sought to claim (variously) “consent”-, “legitimate interests”- and “contractual necessity”-based legal bases for processing people’s information — when obtained directly and/or from third parties — to track and profile its users for behavioral advertising. However, the DPC found none were valid. LinkedIn also failed to comply with the GDPR principles of transparency and fairness.