DECISION SUMMARY
What happened
On 24 October 2024, Ireland's Data Protection Commission (DPC) announced a final decision, adopted on 22 October 2024, imposing administrative fines totalling €310 million on LinkedIn Ireland Unlimited Company. The decision concluded a cross-border inquiry into LinkedIn's processing of members' personal data for the purposes of behavioural analysis and targeted advertising. The DPC found that LinkedIn did not have a valid lawful basis for that processing, and that it had failed to give members the information the GDPR requires about it.
The inquiry originated in a complaint lodged in August 2018 with the French supervisory authority, the CNIL, by the French non-profit La Quadrature du Net on behalf of affected members. Because LinkedIn's main establishment in the EU is in Ireland, the DPC acted as lead supervisory authority under the one-stop-shop mechanism in Article 56 GDPR, with the CNIL as the originating concerned authority. The DPC examined the personal data that LinkedIn collected directly from members (first-party data), data it obtained about members from third parties, and the analytics it ran on both.
The DPC submitted a draft decision to the other concerned supervisory authorities under Article 60. No Article 65 dispute-resolution referral was required: the concerned authorities reached consensus, and the DPC adopted the final decision. The €310 million figure is therefore the DPC's own assessment, not an EDPB-instructed amount, which distinguishes it from the Meta €1.2 billion transfers fine of 2023.
What the DPC found
The central finding was that LinkedIn had no valid lawful basis under Article 6 GDPR for processing members' data for behavioural analysis and targeted advertising. LinkedIn had relied on three different bases for different elements of the processing: consent, legitimate interests, and the necessity of processing for performance of the contract with the member. The DPC rejected all three. The consent LinkedIn obtained was not freely given, sufficiently informed, specific or unambiguous, and so did not meet the Article 4(11) and Article 7 standard. Legitimate interests under Article 6(1)(f) could not be relied on because LinkedIn's commercial interest in advertising did not override the interests and fundamental rights of its members. And the processing was not objectively necessary to perform the user contract under Article 6(1)(b).
Because none of the asserted bases was valid, the processing infringed Article 6 and, in turn, the lawfulness limb of the Article 5(1)(a) principle. The DPC also found that LinkedIn breached the fairness limb of Article 5(1)(a): processing members' data for intrusive profiling in a way they would not reasonably expect, and without an adequate basis, was not fair processing. Separately, the DPC found that LinkedIn had not complied with its transparency obligations: it had failed to provide members with the information required by Article 13(1)(c) (where data is collected from the data subject) and Article 14(1)(c) (where data is obtained from third parties) about the legal basis for the advertising processing.
How the €310 million was structured
The DPC did not impose a single fine. It imposed three administrative fines under Articles 58(2)(i) and 83 GDPR, mapped to distinct categories of infringement. Public reporting of the decision records the breakdown as approximately €105 million for the processing of third-party data, approximately €110 million for the processing of first-party data and third-party analytics, and approximately €95 million for the transparency failures under Articles 13 and 14. Together these total €310 million. Alongside the fines, the DPC issued a reprimand under Article 58(2)(b) and a compliance order under Article 58(2)(d) requiring LinkedIn to bring its advertising processing into conformity with the GDPR.
As an upper-tier infringement of the lawfulness and transparency provisions, the conduct fell within Article 83(5), which caps fines at €20 million or 4% of total worldwide annual turnover, whichever is higher. Microsoft, LinkedIn's parent, reported group revenue well above €200 billion, so the 4% ceiling sat far above €310 million. The fine therefore reflects the DPC's Article 83(2) assessment of gravity, duration and the categories of data, not the statutory cap.
Where this sits in the enforcement record
At €310 million, the LinkedIn fine was, when issued, among the largest GDPR fines on record and the fourth-largest issued by the Irish DPC, behind Meta's €1.2 billion transfers fine (2023), Meta's €405 million Instagram children's-data fine (2022) and Meta's €390 million contractual-basis fine (2023). It belongs to the same line of decisions that has progressively closed off legitimate interests and contractual necessity as bases for behavioural advertising on large platforms, following the EDPB's binding decisions on the Meta contractual-basis inquiries in late 2022.
What this decision tells controllers
For any controller running behavioural advertising in the EEA, the practical lesson is that consent has become the only reliable lawful basis, and it must be valid consent: opt-in, granular, unbundled from the service contract, and revocable. Attempts to fall back on legitimate interests or contractual necessity for profiling-based advertising have now been rejected by the DPC in both the Meta and LinkedIn lines of decisions. Controllers should also treat the transparency findings seriously: the privacy notice must specifically name the advertising purpose, the legal basis relied on, and the categories of recipient, satisfying both Article 13 (data from the member) and Article 14 (data from third parties).