Last week, Ireland penalised Microsoft's LinkedIn €310 million for GDPR violations showing the EU is serious about data protection

Last week, Ireland's privacy watchdog, An Coimisún um Choisant Sonraí (the Data Protection Commission) fined Microsoft-owned professional and social network LinkedIn with a hefty €310 million (NZ$560 million) in fines for breaches of Europe's General Data Protection Regulation (GDPR).

LinkedIn was reprimanded and fined for GDPR non-compliance for not seeking its members consent for processing data around behavioural analysis and targeted advertising. The Microsoft company was also ordered to become compliant with the GDPR in that respect.

The DPC said the personal information in question encompassed data provided directly to LinkedIn by its members, and data obtained via its third-party partners relating to its members. LinkedIn asks users to accept various terms and conditions and policies when people create an account on the site. Afterwards people can opt out of ad tracking and similar features, which is not how GDPR's informed consent works.

Following an in inquiry by the DPC, that was deemed to make the processing unlawful under the GDPR. As Graham Doyle, the DPC deputy commissioner said: “the lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subject's fundamental right to data protection.”

The GDPR is a complex piece of EU legislation, and the DPC helpfully created the below infographic to explain the thinking behinds its decision.

The European Union is upfront about the fines it levies under the GDPR, saying they are stiff to ensure that data protection best practices are too costly not to adopt. Even so, the big tech companies occasionally appear to take their chances to see what they can get away with, like LinkedIn did last month when it automatically opted in its members to train AI on users' data.

Interestingly, when you drill down into the GDPR enforcement, Ireland emerges as the scourge of the tech giants' lax protection of user privacy.

CMS which is a global organisation of independent law firms lists the Irish regulator as having issued seven of the top ten GDPR fines since 2021 on its Enforcement Tracker site. This includes the record €1.2 billion penalty in 2023 against Meta for unlawfully transferring users' personal data to the United States.

Meta with its online properties such as Facebook and WhatsApp have been in DPC's crosshairs six times in the top ten list, but TikTok copped a chunky €345 million fine in 2023 for multiple GDPR breaches. 

It's not quite as simple as Ireland being the EU regulator that takes the most active stance as a GDPR enforcer in the economic and political bloc. The complaint that led the fine originated in France in 2018, but it was passed onto the DPC which is the lead EU agency tasked with keeping a close eye on LinkedIn.

Cumulatively, the number of GDPR fines might have started to plateau but it's too early to say for sure. As of September this year, the GDPR fines have brought in over €5 billion, according to Enforcement Tracker data.

Looking at those numbers, New Zealand seems like an outlier with its tiny fines of $10,000 maximum which tech giants could pay with a middle management corporate credit card and which probably aren't much of a deterrent.

What the GDPR and other laws like the California Privacy Rights Act make clear is that tech companies in particular are not automatically entitled to treat you, the user, as the product whose data can be exploited willy-nilly for profit. It remains to be seen if an equilibrium will eventually be found, with users enjoying strong data protection while still making money for providers. Meanwhile, chances are the latest massive EU fine won't be the last.