top of page
Writer's pictureCaro Robson

Irish Data Protection Commission fines LinkedIn €310 million

25 October 2024


The Irish Data Protection Commission (DPC) has fined LinkedIn €310million for using members’ data for behavioural analysis and targeted advertising without a proper lawful basis (required by Art 6 GDPR) or full transparency (required by Arts 13 and 14). As a result, the processing was also found to be unfair (Art 5).


The inquiry was launched by the DPC as the lead supervisory authority for LinkedIn and its parent Microsoft, after a complaint originally lodged with the French Data Protection Authority, CNIL.


Following the DPC investigation, the draft decision was submitted through the GDPR cooperation mechanism in July 2024, under the Art 60 procedure. No objections were raised by other data protection authorities.


The DPC’s decision incudes a reprimand and order for LinkedIn to bring its processing into line with the GDPR.


The full DPC decision will be released shortly, but yesterday’s press release included the following summary (link below):


“The DPC’s final decision records the following findings of infringement of the GDPR:


  1. Article 6 GDPR and Article 5(1)(a) GDPR, insofar as it requires the processing of personal data to be lawful, as LinkedIn:

    • Did not validly rely on Article 6(1)(a) GDPR (consent) to process third party data of its members for the purpose of behavioural analysis and targeted advertising on the basis that the consent obtained by LinkedIn was not freely given, sufficiently informed or specific, or unambiguous.

    • Did not validly rely on Article 6(1)(f) GDPR (legitimate interests) for its processing of first party personal data of its members for behavioural analysis and targeted advertising, or third party data for analytics, as LinkedIn’s interests were overridden by the interests and fundamental rights and freedoms of data subjects.

    • Did not validly rely on Article 6(1)(b) GDPR (contractual necessity) to process first party data of its members for the purpose of behavioural analysis and targeted advertising.


  2. Articles 13(1)(c) and 14(1)(c) GDPR, in respect of the information LinkedIn provided to data subjects regarding its reliance on Article 6(1)(a), Article 6(1)(b) and Article 6(1)(f) GDPR as lawful bases.


  3. Article 5(1)(a) GDPR, the principle of fairness.”

 

According to Reuters, Microsoft’s financial statements for last year indicated that it expected a charge of around $425million (roughly €392million) in Q2 of 2023.


The fine follows similar decisions against Meta for targeted advertising, or the ‘pay or ok’ or ‘pay or consent’ model. The EDPB issued guidance in April 2024 on large platforms’ use of this model for processing personal data, in its Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms (link below).


The EDPB Opinion states that:


“In most cases, it will not be possible for large online platforms to comply with the requirements for valid consent if they confront users only with a binary choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee.”


The EDPB’s position on consent is consistent with its approach to platforms relying on contractual necessity as a legal ground, where it stressed that any processing must be necessary to carry out the fundamental services of a contract to be lawful under this basis (and not ancillary, as when providing additional advertising services). (See EDPB Guidelines 2/2019 on processing personal data on the basis of contractual necessity for online services, link below.)


However, some aspects of the EU’s broader digital market policy do seem to suggest that providing personal data can be a form of consideration in a legal contract for online services.


On 1 January 2022 Directive (EU) 2019/770 on the Supply of Digital Content and Digital Services entered into force. It included some interesting provisions in the recitals on whether personal data can be used as legal consideration (i.e. payment) for a contract, including for online and social media services:

 

"Digital content or digital services are often supplied also where the consumer does not pay a price but provides personal data to the trader. Such business models are used in different forms in a considerable part of the market. While fully recognising that the protection of personal data is a fundamental right and that therefore personal data cannot be considered as a commodity, this Directive should ensure that consumers are, in the context of such business models, entitled to contractual remedies

[…]

For example, this Directive should apply where the consumer opens a social media account and provides a name and email address that are used for purposes other than solely supplying the digital content or digital service, or other than complying with legal requirements. It should equally apply where the consumer gives consent for any material that constitutes personal data, such as photographs or posts that the consumer uploads, to be processed by the trader for marketing purposes. Member States should however remain free to determine whether the requirements for the formation, existence and validity of a contract under national law are fulfilled."


Recitals 24 and 25, Directive on the Supply of Digital Content and Digital Services

(emphasis added)

 

Although the Directive assumes that consent will be provided for the re-use of personal data, including the potential for re-using content uploaded by users (which could include personal data of other people), it does not deal with how this will operate alongside the GDPR’s consent requirements or its legal basis for processing for contractual necessity.


Concern about the issue of using personal data as legal consideration (i.e. payment) for a contract for digital services was raised by the Dutch data protection authority when it provided advice on the Netherlands’ national implementation of the Directive in 2020 (link below). The Dutch DPA stated: “the fact remains that the recognition by the European legislature in the directive that consent in the context of a contract may have the character of consideration raises particularly difficult questions.”


Whilst the EDPB has ultimately adopted the position of the Dutch DPA in its Opinion and Guidelines, is this an area where the digital market policy of the EU could potentially collide with its data protection and fundamental rights agenda?

 

For now, the Irish DPC decision clearly supports the EDPB’s view that consent can only be valid if freely given and contractual necessity can only be a valid legal basis where the processing is necessary for a fundamental aspect of the contract. In all cases, processing must be fair and transparent.


In light of recent fines for Meta and other large platforms, and the EDPB’s Opinion, social media and other major platforms should reconsider how they obtain valid consent for behavioural advertising to their users/members.


As users of these platforms, we should perhaps be more aware of the privacy policy and opt-out mechanisms available to us, if we want to avoid our data being used for behavioural profiling...



 



Link to EDPB Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms: https://www.edpb.europa.eu/system/files/2024-04/edpb_opinion_202408_consentorpay_en.pdf


Link to EDPB Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, Version 2.0, 08 October 2019: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22019-processing-personal-data-under-article 61b_en


Link to Dutch DPA advice on Netherlands law implementing the EU Directive on Contracts for the Supply of Digital Services: Autoriteit Persoonsgegevens [Dutch Data Protection Authority], Advice on the Draft Law Implementing the EU Directive on Sales of Goods and EU Directive on Contracts for the Supply of Digital Content and Digital Services, 16 April 2020: https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/advies_implementatiewet_richtlijnen_verkoop_goederen_en_levering_digitale_inhoud.pdf

bottom of page