Microsoft-owned social network, LinkedIn has been hit with a $335 million fine by Ireland’s Data Protection Commission (DPC).
The penalty, issued under the EU’s General Data Protection Regulation (GDPR), follows findings that LinkedIn’s ad-tracking practices violated multiple GDPR provisions, including those related to transparency, fairness, and lawful data processing.
At the core of the DPC’s ruling lies LinkedIn’s approach to targeted advertising, a model that leverages users’ personal data to deliver behavioural ads.
The GDPR mandates that personal data processing requires a legitimate legal basis, but LinkedIn’s claims—based on users’ “consent,” “legitimate interests,” and “contractual necessity”—were deemed inadequate by the DPC.
The regulator ruled that these justifications did not align with the legal standards set by the GDPR and, further, that LinkedIn had failed to properly inform users of the extent and purpose of its data tracking activities.
Graham Doyle, deputy commissioner of the DPC, commented on the importance of GDPR compliance: “The lawfulness of processing is a fundamental aspect of data protection law, and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subject’s fundamental right to data protection.”
This substantial fine positions LinkedIn among the largest GDPR violators to date, underscoring the growing scrutiny of data practices across major platforms.
In September, Meta, Facebook’s parent company was slapped with a $101.5M fine by the DPC.
While LinkedIn has faced previous penalties for privacy issues in the EU, this fine marks the most severe action against the platform so far.
Microsoft had disclosed a potential financial impact from the anticipated fine in a prior 10-K filing, signalling that it had prepared for a substantial sanction.
The case originated with a 2018 complaint from the French digital rights organization La Quadrature du Net, which accused LinkedIn of privacy violations related to its advertising model.
The complaint was later escalated to Ireland’s Data Protection Commission, the lead authority overseeing Microsoft’s GDPR compliance within the EU, given LinkedIn’s European headquarters in Ireland.
The DPC’s ensuing investigation, launched in August 2018, culminated in a draft decision circulated to other EU data authorities in July 2024, who raised no objections to the findings.
Alongside the monetary penalty, LinkedIn now faces a compliance deadline: it must adjust its data processing practices within three months to meet GDPR standards.
In a statement on LinkedIn’s press room, the company responded to the decision, saying: “Today, the Irish Data Protection Commission (IDPC) reached a final decision on claims from 2018 regarding some of our digital advertising efforts in the EU. While we believe we have been in compliance with the General Data Protection Regulation (GDPR), we are working to ensure our ad practices meet this decision by the IDPC’s deadline.”
