The Irish Data Protection Commission (DPC) announced it is fining LinkedIn €310 million, or more than $300 million, for how it processed user data.

The EU has strict regulations about how companies can process user data, a point that has led to multiple fines for Big Tech companies that making billions off of user data. LinkedIn is the latest to run afoul of the EU, after a complaint-based inquiry began in mid-2018.

This inquiry examined the lawfulness, fairness and transparency of the processing of the personal data of users of the LinkedIn platform for the purposes of behavioural analysis and targeted advertising. The personal data in question encompassed data provided directly to LinkedIn by its members (first-party data) and data obtained via its third-party partners relating to its members (third-party data).

There are three specific areas the investigation focused on.

The GDPR requires processing of personal data to be based on one of the legal bases outlined in Article 6(1) GDPR, such as consent, contractual necessity or legitimate interests. Depending on the lawful basis selected by controllers, certain conditions must to be met. For example, any consent obtained must meet the standard required by the GPDR of being a freely given, specific, informed, and an unambiguous indication of the data subject’s wishes.

The GDPR also requires that processing is carried out in a fair manner. Fairness is an overarching principle, which requires that personal data may not be processed in a way that is detrimental, discriminatory, unexpected or misleading to the data subject. An absence of fairness can result in a loss of autonomy of data subjects over their personal data, put them in a position where they may be unable to exercise other GDPR rights, and impact their fundamental rights to privacy and personal data protection.

Transparency is another crucial aspect of data protection, and gives data subjects control over the processing of their personal data. Compliance with transparency provisions by controllers ensures that data subjects are fully informed of the scope and consequences of the processing of their personal data in advance and in a positon to exercise their rights.

Ultimately, the DPC’s final decision involved both a fine and order that LinkedIn correct its data processing. The decision includes the following.

• a reprimand pursuant to Article 58(2)(b) GDPR;
• three administrative fines totalling €310 million pursuant to Articles 58(2)(i) and 83 GDPR; and
• an order to LinkedIn to bring its processing into compliance with the GDPR pursuant to Article 58(2)(d).

It’s a safe bet LinkedIn won’t be the last company to be fined by the EU. Big Tech companies will continue to deal with fines and other repercussions until they comply the EU’s data privacy regulations.