Another day, another violation of GDPR by one of the big tech companies! This time it is the social network for those who wake up at 6am to get on that grind, LinkedIn!
On October 24th, the Irish Data Protection Commission (DPC) announced that final decision made on a complaint initially made to the French Data Protection Authority, but as the Irish DPC is the lead supervisory authority for LinkedIn as its EU Headquarters is based in Ireland. The complaint focused on the processing of personal data of its members for behavioural analysis and targeted advertising.
Violations
The focus of the investigation was on some of the 101s of GDPR, the legal basis for the processing of personal data, the principles and legal basis are the stuff that they teach you on day one of any course on GDPR! It is perplexing how one of the major tech companies fell for this. The final infringements were on Article 6 GDPR and Article 5(1)(a) GDPR, as LinkedIn:
- Consent Wasn’t Quite There
- LinkedIn claimed to rely on consent (Article 6(1)(a) GDPR) to process user data from third parties for targeted advertising and behavioural analysis. However, the DPC ruled that this consent was neither “freely given” nor “sufficiently informed” or “unambiguous.”
- Legitimate Interests Didn’t Hold
- LinkedIn also used the “legitimate interests” (Article 6(1)(f) GDPR) clause to justify its decision to use user data for behavioural analysis, targeted advertising, or third party data for analytics,. However, LinkedIn’s commercial goals doesn’t outweigh users’ rights.
- This is interesting as a recent EUCJ case set a precedent that commercial rights was a legitimate interest under GDPR.
- Contractual Necessity Not Valid for Ads
- Additionally, LinkedIn tried to rely on “contractual necessity” (Article 6(1)(b) GDPR) for processing user data. However, advertising and behavioural profiling aren’t core to the service users sign up for on LinkedIn, so this justification couldn’t apply either.
As Transparent as a wall
- Lack of Transparency
- The DPC found that LinkedIn’s communication with users about its data processing practices was terrible enough to be highlighted in the decision. Articles 13(1)(c) and 14(1)(c) require clear and specific information about how data is used. LinkedIn failed to provide adequate details about its reliance on various lawful bases, leaving users in the dark about how their data was being used.
- Fairness Fell Short
- Fairness, under Article 5(1)(a) GDPR, is a fundamental principle that requires data processing to be predictable, non-discriminatory, and not to mislead data subjects. LinkedIn’s data practices were deemed unfair because they did not give users meaningful control over their data, potentially restricting their ability to exercise other GDPR rights.
What to learn from this
Fairness and transparency is clear and constant overarching principle of the GDPR. When talking with clients and other DPOs, I feel like peoples worries around compliance are bogged down by more complex parts of GDPR and all that good stuff, but the fundamentals of data protection like legal basis are overlooked. This case is a good reminder to get the 101s of GDPR right.
Its a good reminder to get your RoPA spot on, and to keep updating and reviewing all entries.LinkedIn gave plenty of legal basis for using personal data in targeted ads and behavioural analysis, but it just didn’t cut it. It’s extremely critical to get one legal basis precise and be open with your data subjects with your data processing instead of just throwing together a bunch of half-hearted reasons and being opaque.
In Summary
Don’t forget about the basics of GDPR. Get your legal basis correct, make sure it is watertight, be transparent and fair with your processing. I really think it is that simple.
A nice infographic from the DPC on the case
