Data processing for behavioral analysis purposes is expensive: the fine for LinkedIn

LinkedIn violated the GDPR by carrying out a processing of user data for behavioral analysis and targeted advertising purposeswithout first having obtained a free, informed, specific and unambiguous consent from the interested parties: this is the motivation with which the Irish Data Protection Commission (DPC) fines LinkedIn Ireland Unlimited Company (LinkedIn) for a total of 310 million euros.

Furthermore, the same Authority, in the same provision, exercised its corrective powers, warning the company and imposing an injunction on LinkedIn to comply with European legislation on the protection of personal data.

The investigation was launched by the DPC, in its role as lead supervisory authority for LinkedIn and acting on behalf of the European Union, following a complaint initially lodged with the French Data Protection Authority by the non-profit organisation. French La Quadrature Du Net and subsequently submitted a draft decision to the GDPR Cooperation Mechanism in July 2024, as required by Article 60 of the GDPR.

The personal data in question included data provided directly to LinkedIn by its members (first-party data) and data obtained through third-party partners relating to its members (third-party data).

DPC Deputy Commissioner, Graham Doyle, commented: “The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate lawful basis is a clear and serious breach of a data subject’s fundamental right to data protection”.

Sanction against LinkedIn: the disputed violations

The Irish Guarantor’s decision focused on legal basis of processing for behavioral analysis and targeted advertising purposesstating again that the only valid one remains that of the interested party’s consent.

Furthermore, the rights of the interested parties were considered to prevail over the legitimate interest invoked by the company, and the execution of the license agreement between the platform and the user was deemed incompatible with these purposes.

And, consequently, the information issued pursuant to the articles was deemed invalid. 13 and 14 GDPR.

The position of the EDPB

On the use of legitimate interest for personalized advertising purposes, it is necessary to refer to the recent EDPB guidelines, which confirm the legal correctness of the Irish Guarantor’s decision.

These guidelines report among the examples the very case we are dealing with, stating the need for consent for the pursuit of personalized advertising purposes and despite the free nature of the service: “An online social network is financed through online advertising, which is personalized to individual users of the social network based on, among other things, their consumption behavior, interests, purchasing power and personal situation. This advertising is made possible, from a technical point of view, by the automated production of detailed profiles of network users. To this end, in addition to the data provided by users directly when registering for the online service, other data relating to users and devices are also collected, both inside and outside that social network, and linked to their account. The aggregate view of the data allows you to draw detailed conclusions about the preferences and interests of those users.

Despite the fact that the services of the online social network are free, the user of that network cannot reasonably expect that the operator of the social network processes the personal data of that user, without his consent, for the purposes of personalized advertising. Furthermore, users of the online social network cannot reasonably expect that such data will also be processed for other purposes, such as product improvement”.

Legitimate interest: case-by-case assessment

In fact, these guidelines state that for the Court of Justice of the European Union (CJEU) personalized advertising could be considered a form of direct marketing.

Furthermore, the CJEU has interpreted the concept of communication for direct marketing purposes under the ePrivacy Directive, which is closely linked to the GDPR and regulates the sending of direct marketing communications.

In particular, the CJEU established that, to assess whether a communication is made for direct marketing purposes, it is necessary to ascertain whether that communication pursues a commercial purpose and is addressed directly and individually to a consumer.

In this regard, the CJEU found it irrelevant whether the advertising in question is addressed to a pre-defined and individually identified recipient or whether it is sent massively and randomly to multiple recipients.

What matters is that there is a communication for a commercial purpose, which reaches a consumer directly and individually.

The fact that Recital 47 of the GDPR states that processing of personal data for direct marketing purposes may be carried out to fulfill a legitimate interest does not imply that direct marketing always constitutes a legitimate interest, nor that it is automatically possible to rely on Article 6(1)(f) of the GDPR to carry out all direct marketing activities.

For some cases of direct marketing, a different legal basis – such as consent – ​​may be needed.

The use of legitimate interest requires that three cumulative conditions are met: first, the pursuit of a legitimate interest by the data controller or a third party; secondly, the need to process personal data for the purposes of the legitimate interests pursued; and, thirdly, that the interests or fundamental freedoms and rights of the person affected by the processing do not override the legitimate interests of the controller or of a third party.

It follows that the processing of personal data for direct marketing purposes cannot be based on Article 6(1)(f) of the GDPR if these criteria are not met. For example, Article 6(1)(f) of the GDPR cannot be relied upon if the direct marketing in question is unlawful, or if the interests of the data subjects outweigh those of the controller, taking into account the fact that, for example, no can reasonably expect their data to be used for direct marketing purposes.

The EDPB suggests the use of a case-by-case approach, a case-by-case assessment, to verify whether the envisaged treatment meets the three cumulative conditions and considering the level of invasiveness of the marketing practices as a particularly relevant factor to take into consideration in the balance test.

Conclusions

This decision represents an important precedent in the data protection landscape in Europe, underlining the importance of consent and transparency towards data subjects, especially for those companies that operate on a global scale like LinkedIn.

And this decision highlights how data protection authorities are prepared to take rigorous measures to ensure that companies respect users’ rights.

In an era where the collection and analysis of personal data is ever-expanding, compliance with regulations is critical in a precarious balance between using data for commercial activities, such as improving services and targeted advertising , and fair and transparent treatment.