Over the past year, we have seen a continued enforcement trend by the Irish Data Protection Commission (“DPC”) in regard to imposing fines for non-compliance with the core data protection principles and related obligations, in particular for breach of the fair, transparent and lawful processing requirements under the GDPR. The DPC recently imposed a hefty €310 million fine on LinkedIn for failure to comply with these requirements, when processing users’ personal data for behavioural analysis and targeted advertising purposes.
Background
Following a complaint made by the French non-profit organisation, La Quadrature Du Net, the DPC commenced a statutory inquiry to examine LinkedIn’s compliance with the fair, lawful and transparency processing requirements set out in the GDPR. The complaint asserted that LinkedIn had processed certain personal data relating to data subjects, for the purposes of behavioural analysis and target advertising (“BA and TA”) without a valid legal basis, and in an unfair and non-transparent manner. The personal data in question encompassed data provided directly to LinkedIn by its members or created as a result of their use of the LinkedIn platform (“first party data”), and data provided to LinkedIn by its enterprise customers relating to its members (“third party data”).
The temporal scope of the DPC’s decision considered LinkedIn’s processing of data as it existed at two points, namely 28 May 2018 and 14 September 2020. The first point in time is the date on which the complaint was made, whilst the second point in time is the date of the DPC’s first correspondence to LinkedIn after its cessation of reliance on contractual necessity under Article 6(1)(b) GDPR, as a lawful basis for processing first party personal data.
DPC Decision
The DPC imposed a fine of €310 million on LinkedIn for its unlawful reliance on consent, legitimate interest, and contractual necessity for its processing of users’ personal data for BA and TA purposes, and for its failure to comply with fair and transparent processing obligations. We have set out further details in respect of the DPC’s findings below.
Lawful basis for Processing - Consent
LinkedIn members were by default opted-out of the use of third-party data for ad targeting by 25 May 2018 (when the GDPR came into force). They were then presented with an in-product notification providing them with the option to consent to the use of third party data for ad targeting or to remain opted out. The DPC analysed whether consent was validly given under the GDPR, in particular, whether it was freely given, specific, informed and unambiguous in line with Article 4(11) and Article 7 GDPR.
With regard to the freely given nature of the consent, the DPC concluded that the consent tool led to inappropriate pressure and influence on data subjects, as its wording implied that if the user did not provide consent, this would negatively impact their ability to see relevant jobs on the platform. In addition, the DPC concluded that the two options presented to users, namely “Accept & Continue” v “Manage Settings,” were ambiguous and nudged users into accepting in order to continue. Furthermore, both options were not given equal prominence from a visual perspective.
Accordingly, LinkedIn could not validly rely on users’ consent under Article 6(1)(a) GDPR to process third party data of users for BA and TA purposes, on the basis that the consent obtained by LinkedIn was not freely given, sufficiently informed , specific or unambiguous.
Lawful Basis for Processing - Legitimate Interest
Article 6(1)(f) GDPR provides that processing of personal data shall be lawful to the extent that it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of data subjects.
EU case-law sets out three conditions which must be satisfied in order for a controller to rely on legitimate interests as a lawful basis for processing personal data. These conditions include: (a) the pursuit of a legitimate interest by the controller or by a third party; (b) the need to process personal data for the purposes of the legitimate interests pursued; and (c) the carrying out of a balancing test to confirm that the fundamental rights and freedoms of data subjects do not override the legitimate interests pursued.
The DPC found that LinkedIn failed to meet the third condition, as the rights and freedoms of data subjects outweighed the legitimate interests pursued by LinkedIn, to the extent that the processing of personal data for BA and TA purposes had a number of negative impacts on data subjects. In particular, the use of inferred categories of users’ personal data (such as their gender and age) meant that they could be excluded from job advertisements. In addition, the DPC found that the processing of such inferred data by LinkedIn for BA and TA purposes was not within the foreseeable expectations of users.
Therefore, the DPC concluded that LinkedIn could not validly rely on legitimate interests under Article 6(1)(f) GDPR to process first party personal data of users for BA and TA purposes, or third party personal data of users for analytics purposes, as LinkedIn’s interests were overridden by the interests of data subjects.
Lawful Basis for Processing - Contractual Necessity
Article 6(1)(b) GDPR provides for a lawful basis for processing personal data to the extent that it is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract.
In January 2020, LinkedIn ceased to rely on contractual necessity as a lawful basis for processing first party data for BA and TA purposes. From that point, LinkedIn relied exclusively on legitimate interests as a lawful basis for such processing. Notwithstanding such cessation, the DPC considered whether contractual necessity could provide a lawful basis for the processing at the date of the complaint, on 28 May 2018.
The DPC found that LinkedIn could not rely on contractual necessity, as the processing of users’ personal data for BA and TA purposes was not “objectively necessary” for the performance of its contract with users. The DPC highlighted that EDPB Guidelines on contractual necessity (Guidelines 02/2019) make it clear that Article 6(1)(b) GDPR will not cover processing which is “useful but not objectively necessary” for performing the contractual service or for taking relevant pre-contractual steps at the request of the data subject. The DPC also noted that the Guidelines explicitly refer to personalised advertising as an example of processing that will usually not be necessary for the purposes of the performance of, or entering into, a contract with a data subject.
Accordingly, the DPC concluded that LinkedIn could not validly rely on contractual necessity under Article 6(1)(b) GDPR to process first party data of users for BA and TA purposes.
Transparent Processing
In order to comply with the transparency requirements of Articles 13(1)(c) and 14(1)(c) GDPR, a controller must provide information to data subjects about: (a) what categories of personal data are processed; (b) the purposes for the processing; and (c) the lawful basis for the processing. The DPC concluded that LinkedIn’s Privacy Policy did not meet the information requirements of Article 13(1)(c) and 14(1)(c) GDPR. In particular, the DPC found that the Privacy Policy did not contain a clear link between each of the elements listed at (a), (b) and (c) above.
Fair Processing
Article 5(1)(a) GDPR requires personal data to be “processed lawfully, fairly, and in a transparent manner in relation to the data subject”. The DPC concluded that LinkedIn infringed Article 5(1)(a) GDPR by not conducting processing in a fair manner. In particular, the DPC found that data subjects were not in a position to fully understand the use of their data if they did or did not consent to its processing.
Corrective Measures
The DPC issued a reprimand on LinkedIn for infringing the GDPR, and imposed an order requiring LinkedIn to bring its processing into compliance with the GDPR, including by updating its Privacy Policy in line with the requirements of Articles 13(1)(c) and 14(1)(c) GDPR. The DPC also imposed an administrative fine totalling €310 million.
Commentary
The decision serves as a reminder of the importance of processing personal data in a fair, transparent and lawful manner. It is crucial that businesses carefully assess which lawful basis to rely on in light of the processing activities at hand, particularly when processing personal data for BA and TA purposes. If relying on legitimate interests for your processing activities, it is essential that a robust legitimate interests assessment is carried out and documented, and that the three conditions for relying on this legal basis are met.
The decision also highlights the importance of businesses ensuring that their privacy policies to customers do not contain vague lawful bases, but rather set out clear and comprehensive information about the categories of personal data being processed; the purposes of the processing activities; and the lawful bases relied on.
Contact Us
For more information, please contact Davinia Brennan, or any member of our Technology and Innovation Group or your usual Matheson contact.