Did LinkedIn violate data protection rules?

Did LinkedIn violate data protection rules?

LinkedIn, the Microsoft-owned professional networking site with nearly 600 million users, allegedly violated data protection rules in early 2018, according to Ireland’s Data Protection Commission (DPC).

In a report from the DPC, LinkedIn was found to have used 18 million email addresses for Facebook advertising campaigns without user consent.

LinkedIn “processed hashed email addresses” of non-members and used the data in targeted ads on Facebook to grow LinkedIn’s membership, the commission found.

The report did not, however, detail how the email addresses were obtained.

The misuse of user data occurred in the months leading up to GDPR’s implementation, from January to May 2018.

Word of the audit surfaced when the DPC published a report of the commission’s activities in the first six months of the year, during which it investigated a complaint lodged against LinkedIn back in 2017.

"The complaint was ultimately amicably resolved," according to the DPC, with “LinkedIn implementing a number of immediate actions to cease the processing of user data for the purposes that gave rise to the complaint."

How professional networks are predicted
The DPC, however, launched a second audit concerning what it believed to be “wider systemic issues” and to verify whether LinkedIn had been implementing “appropriate technical security and organisational measures” for processing and storing non-member data.

LinkedIn was found to have undertaken the “pre-computation of a suggested professional network for non-LinkedIn members,” the DPC said.

In other words, the network had been pitching “compatible” LinkedIn users to non-users so newcomers to the site could avoid having to build a professional network from scratch, TechCrunch reported.

“As a result of the findings of our audit, LinkedIn Corp was instructed by LinkedIn Ireland, as data controller of EU user data, to cease pre-compute processing and to delete all personal data associated with such processing prior to 25 May 2018,” the commission said.

LinkedIn released a statement to TechNews, saying: "Unfortunately the strong processes and procedures we have in place were not followed and for that we are sorry. We’ve taken appropriate action and have improved the way we work to ensure that this will not happen again.

“During the audit, we also identified one further area where we could improve data privacy for non-members and we have voluntarily changed our practices as a result."

On the issue of GDPR, HR Tech News spoke to Arabella Underwood, human capital management director and global GDPR expert at Frost & Sullivan.

“Personally, from speaking to my network of HR leaders, I think that global businesses have not taken this seriously,” she explained.

“We’ll only see the real effects of GDPR when the first huge fine is issued and publicized. I found that external promotion was vast in the UK but not so in the rest of the European region – there was little to none in terms of global advertising.”

Read the full interview here.