LinkedIn fined €310m over data processing consent

Image:
LinkedIn users can’t meaningfully consent to data sharing

LinkedIn fined €310 million ($360m) for making it effectively impossible for users to freely consent to their data being shared,

Microsoft social networking subsidiary LinkedIn has been fined €310 million ($360m) for violating Articles 5 and 6 of GDPR: processing personal data in manner that was neither “informed”, nor “freely given”.

The fine was levied by Ireland’s Data Protection Commission (DPC).

The case regards digital advertising and personal data processing across the EU. The complaint [PDF] was originally made by French digital rights organisation La Quadrature du Net in 2018. However, it was transferred from the French data protection agency CNIL to Ireland’s as the authority with jurisdiction for Microsoft across the EU as the company’s European head office is in Dublin.

The complaint pointed out that users have no choice but to click acceptance of the data sharing conditions on creating an account on LinkedIn and can only adjust these settings afterwards by running down a series of menus and sub menus to reverse this non-freely given consent.

La Quadrature du Net pointed out that, under GDPR, individuals have a right to be informed about data sharing first and have a right to withdraw their consent for data sharing at any time. The way in which LinkedIn structured its consent process – presumably to maximise data sharing and, hence, revenues – ran contrary to GDPR, they argued.

After a six-year inquiry culminating in an opinion published in July, the DPC agreed.

Justifying the hefty fine, DPC deputy commissioner Graham Doyle said: “The lawfulness of processing is a fundamental aspect of data protection law, and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subjects’ fundamental right to data protection.”

It is not the first data protection-related fine that has been levied on LinkedIn, but it is the largest so far. The company has also been given three months to bring its European data sharing consent processes into compliance.

LinkedIn has also come under scrutiny for training its AI models with user data without explicit consent being obtained.

Microsoft’s response to the fine was brief. In a statement, it said: “Today the Irish Data Protection Commission (IDPC) reached a final decision on claims from 2018 about some of our digital advertising efforts in the EU.

“While we believe we have been in compliance with the General Data Protection Regulation (GDPR), we are working to ensure our ad practices meet this decision by the IDPC's deadline.”

However, Microsoft will not be unduly impoverished from this fine. It had set aside $425 million last year to cover the likelihood of a fine being levied, which is relatively paltry alongside the $72.4 billion net income it earned in the year to the end of June, on revenues of just over $211 billion.