The Irish Data Protection Commission (DPC) has fined LinkedIn €310 million for violating the General Data Protection Regulation (GDPR). The decision comes after a detailed investigation of LinkedIn’s processing of both first-party and third-party personal data from its users or members for behavioural targeting in advertising campaigns.
The DPC initiated the inquiry following a complaint from French advocacy group La Quadrature du Net in 2018. The Commission found significant breaches of GDPR requirements, particularly regarding LinkedIn’s legal processing bases and failure to obtain proper consent.
The investigation revealed multiple violations of GDPR, primarily concerning the lawfulness, fairness, and transparency of LinkedIn’s data processing practices. According to the DPC’s final decision, LinkedIn had relied on inadequate legal justifications under GDPR Article 6, which outlines the lawful bases for data processing.
Specifically, LinkedIn failed to meet the stringent consent requirements under Article 6(1)(a), with the DPC ruling that the consent obtained from LinkedIn users was neither “freely given” nor sufficiently “informed” or “specific.”
Additionally, the regulators rejected the company’s use of legitimate interest (Article 6(1)(f)) and contractual necessity (Article 6(1)(b)) as justifications for processing.

Deputy Commissioner Graham Doyle emphasised that LinkedIn’s failure to establish an appropriate legal basis for data processing amounted to a severe violation of users’ fundamental rights. “The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of data subjects’ fundamental rights,” said Doyle.
Under GDPR, companies like LinkedIn are required to ensure that consent is clear and unambiguous. This means users must fully understand how their data will be sued and have the genuine option to refuse. The DPC found that LinkedIn had not adequately met these criteria.
Furthermore, LinkedIn’s reliance on “legitimate interests” to justify certain data uses was deemed invalid, as the rights and freedoms of data subjects were found to outweigh the company’s business interests.
As a result of these findings, the DPC has ordered LinkedIn to rectify its data processing operations to align with GDPR. In addition to the €310 million fine, the DPC has issued a formal reprimand and instructed the company to bring its data processing practices into compliance.
In September 2024, the EU launched two proceedings against Apple to ensure that the company complies with the Digital Markets Act (DMA). Similarly, the EU Court also fined €2.42 billion against Google in an antitrust case.
In July, the EU gave a deadline to Meta to remove its pay or consent model. Just a month before that, the Union launched an antitrust probe against Microsoft for tying Teams to Office.
In the News: Apple cuts back iPhone 16 production as AI fails to pique interest