For those with an interest in data privacy matters, Ireland has recently been a focal point of activity in this area. In September and October 2024, the Irish Data Protection Commission (DPC) issued two significant rulings, concerning Meta Platforms Limited (MPIL) and LinkedIn Ireland Unlimited Company (LinkedIn), which have resulted in fines of millions of euros.
The case concerning MPIL originated in 2019 when MPIL disclosed that user passwords had been stored in plain text on internal systems without encryption. The scope of the inquiry assessed MPIL’s GDPR compliance and whether the company had implemented appropriate security measures to safeguard password data.
According to the DPC, MPIL had violated multiple GDPR requirements; it failed to notify the DPC of the said breach (Art. 33.1), it did not document the breach (Art. 33.5), and it lacked adequate security measures for password protection (Art. 5.1.(f) and 32.1).
As this issue concerned the sensitive nature of password data, the Deputy Commissioner emphasized the importance of secure encryption, noting the high risk of abuse when data is stored in plain text, underscoring the importance of adequate technical and organizational safeguards. The ruling imposed on the company a formal reprimand and a 91 million euro fine.
The LinkedIn inquiry examined LinkedIn’s processing of member data for the purposes of behavioural analysis and targeted advertising. During the investigation, it was found that LinkedIn failed to meet multiple GDPR requirements (including Article 6.1 amongst others), as the consent obtained from third parties for behavioural analysis and targeted advertising was insufficiently informed, specific, and unambiguous. It also found that LinkedIn could not rely on legitimate interests for processing personal data for the said purposes, as its interests were outweighed by the interests and fundamental rights and freedoms of the data subjects. Moreover, LinkedIn lacked contractual necessity to process the data of its members for these purposes.
Additionally, the GDPR infringements also included deficiencies in the information LinkedIn provided to its members regarding its lawful basis for data processing (Art. 13.1(c) and Art. 14.1(c)), along with violations of the principle of fairness (Art. 5.1.(a)). The Deputy Commissioner highlighted that the lawful basis for processing personal data is essential in data protection law; processing without it is a serious violation of an individual’s fundamental right to data protection.
In light of this, the decision resulted in a formal reprimand and a fine of 310 million euro for LinkedIn.
These decisions reinforce the essential importance of lawful data processing under the GDPR, and the rigorous standards organizations must maintain to protect user data and rights. This message is particularly relevant, though not limited to social media platforms, as their business models rely heavily on the collection and processing of member data.
