Significant GDPR Enforcement In Ireland – Privacy Protection – Privacy

Multimillion euro fines issued to Meta and LinkedIn

For those with an interest in data privacy matters,
Ireland has recently been a focal point of activity in this area.
In September and October 2024, the Irish Data Protection Commission
(DPC) issued two significant rulings, concerning Meta Platforms
Limited (MPIL) and LinkedIn Ireland Unlimited Company (LinkedIn),
which have resulted in fines of millions of euros.

The case concerning MPIL originated in 2019
when MPIL disclosed that user passwords had been stored in plain
text on internal systems without encryption. The scope of the
inquiry assessed MPIL’s GDPR compliance and whether the company
had implemented appropriate security measures to safeguard password
data.

According to the DPC, MPIL had violated multiple GDPR
requirements; it failed to notify the DPC of the said breach (Art.
33.1), it did not document the breach (Art. 33.5), and it lacked
adequate security measures for password protection (Art. 5.1.(f)
and 32.1).

As this issue concerned the sensitive nature of password data,
the Deputy Commissioner emphasized the importance of secure
encryption, noting the high risk of abuse when data is stored in
plain text, underscoring the importance of adequate technical and
organizational safeguards. The ruling imposed on the company a
formal reprimand and a 91 million euro fine.

The LinkedIn inquiry examined
LinkedIn’s processing of member data for the purposes of
behavioural analysis and targeted advertising. During the
investigation, it was found that LinkedIn failed to meet multiple
GDPR requirements (including Article 6.1 amongst others), as the
consent obtained from third parties for behavioural analysis and
targeted advertising was insufficiently informed, specific, and
unambiguous. It also found that LinkedIn could not rely on
legitimate interests for processing personal data for the said
purposes, as its interests were outweighed by the interests and
fundamental rights and freedoms of the data subjects. Moreover,
LinkedIn lacked contractual necessity to process the data of its
members for these purposes.

Additionally, the GDPR infringements also included deficiencies
in the information LinkedIn provided to its members regarding its
lawful basis for data processing (Art. 13.1(c) and Art. 14.1(c)),
along with violations of the principle of fairness (Art. 5.1.(a)).
The Deputy Commissioner highlighted that the lawful basis for
processing personal data is essential in data protection law;
processing without it is a serious violation of an individual’s
fundamental right to data protection.

In light of this, the decision resulted in a formal reprimand
and a fine of 310 million euro for LinkedIn.

These decisions reinforce the essential importance of lawful
data processing under the GDPR, and the rigorous standards
organizations must maintain to protect user data and rights. This
message is particularly relevant, though not limited to social
media platforms, as their business models rely heavily on the
collection and processing of member data.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.