LinkedIn has found itself in hot water in Europe, as the professional networking platform has been hit with a hefty €310 million ($335 million) fine for violating privacy regulations tied to its targeted advertising practices.
The penalty, one of the largest imposed on Big Tech under the European Union’s General Data Protection Regulation (GDPR), was levied by Ireland’s Data Protection Commission (DPC), which serves as the primary regulator for Microsoft, LinkedIn’s parent company, under GDPR guidelines.
The DPC’s investigation revealed several breaches related to LinkedIn’s processing of personal data for behavioral advertising, including violations of the GDPR principles of lawfulness, fairness, and transparency. GDPR mandates that data processing activities must have a valid legal basis, and in this case, LinkedIn’s arguments fell short.
Tekedia Mini-MBA edition 16 (Feb 10 – May 3, 2025) opens registrations; register today for early bird discounts.
Tekedia AI in Business Masterclass opens registrations here.
Join Tekedia Capital Syndicate and invest in Africa’s finest startups here.
LinkedIn had relied on three legal bases to justify its use of users’ data: consent, legitimate interests, and contractual necessity. However, the DPC concluded that none of these justifications held up under scrutiny. LinkedIn had not obtained proper consent for processing personal data for tracking ads and failed to provide users with clear and sufficient information about how their data was being used. Consequently, the regulator determined that LinkedIn’s practices infringed on users’ fundamental rights to data protection.
DPC deputy commissioner Graham Doyle acknowledged the significance of the ruling in a statement.
“The lawfulness of processing is a fundamental aspect of data protection law, and the processing of personal data without an appropriate legal basis is a clear and serious violation of data subjects’ fundamental right to data protection,” he said.
The case against LinkedIn began over six years ago, originating with a complaint filed in France in 2018 by the digital rights organization La Quadrature Du Net. The complaint was transferred to the DPC, given its role as the lead oversight authority for Microsoft’s GDPR compliance. The DPC launched its investigation in August 2018, but it took nearly six years for a final decision to be reached.
In July 2024, the DPC submitted a draft decision to other EU data protection authorities, who raised no objections, allowing the enforcement to proceed. The prolonged duration of the case highlights the complexities of GDPR enforcement, especially involving multinational corporations operating across multiple jurisdictions.
Following the announcement of the fine, LinkedIn acknowledged the DPC’s decision in a statement but expressed its disagreement with the findings. The company maintains that it has been compliant with GDPR but has committed to bringing its ad practices in line with the ruling.
“While we believe we have been in compliance with the General Data Protection Regulation (GDPR), we are working to ensure our ad practices meet this decision by the IDPC’s deadline,” a spokesperson for LinkedIn, Jonny Wing, stated.
The professional social media has been given a three-month window to rectify its operations and ensure full compliance with GDPR requirements.
Big Tech and GDPR
The €310 million penalty puts LinkedIn in the mid-range of the top 10 GDPR fines levied on tech giants, joining other prominent companies like Meta, Google, and Amazon that have faced significant sanctions. This case denotes that data protection authorities across Europe are prepared to take stringent measures against non-compliance, particularly concerning the complex landscape of digital advertising and user privacy.
The ruling also signals the growing scrutiny over the use of personal data for behavioral advertising, a practice that has come under fire for its potential to infringe on individual privacy. As regulators continue to clamp down on non-compliance, companies operating in the EU are expected to adopt more rigorous data protection practices to avoid costly penalties.
This latest penalty is not the first time LinkedIn has faced regulatory challenges in Europe over privacy concerns. However, it marks the most significant fine the company has received to date under GDPR. The platform’s previous brushes with data protection regulators involved less severe infractions.
With a three-month deadline to align its operations with GDPR requirements, LinkedIn must overhaul its advertising practices and data processing methods in Europe. This could entail revising consent mechanisms, enhancing transparency about data usage, and potentially reducing reliance on tracking technologies for ad targeting. Failure to make these adjustments could result in further penalties or restrictions on the company’s ability to operate within the EU.