Irish Report Indicates LinkedIn Violated Data Protection Rules

The Data Protection Commissioner of Ireland released a report last week that discussed an investigation into a complaint against the social media network LinkedIn, owned by Microsoft. In the investigation, the Data Protection Commission found that LinkedIn U.S. had collected the email addresses of 18 million people who were not users of the network. The company used the addresses in targeted ads on Facebook to encourage more people to join LinkedIn. LinkedIn Ireland, the controller of this data, did not oversee the project, which violated data protection rules. LinkedIn took responsibility for this activity and agreed to stop using email addresses of non-users and related data for this purpose.

Moreover, the Data Protection Commission determined that LinkedIn was using its social graph-building algorithms to suggest professional networks for users in Ireland. When it raised this broader concern, LinkedIn offered to stop using pre-compute processing and to delete personal data associated with the processing. The company noted that it was taking these measures voluntarily, showing its good faith by going further than what it was required to do.

LinkedIn did not receive a fine based on its use of the email addresses because the complaint giving rise to the investigation occurred in 2017. The Data Protection Commission only gained the power to enforce fines following the implementation of the General Data Protection Regulation in the EU, which occurred on May 25, 2018. One issue that remains unclear is how LinkedIn obtained the 18 million email addresses. The Data Protection Commission does not appear to have investigated this issue, since its report does not address it.

Photo Credit:  GaudiLab /