Dear LinkedIn, new to your network: the AVG

This article examines how the decision of the DPC assessed LinkedIn's compliance with the AVG, with a specific focus on the processing of personal data for the purposes of behavioral analysis and targeted advertising. First, LinkedIn's processing practices are analyzed, focusing on the legal grounds the platform used, such as consent, contractual necessity and legitimate interest. It then assesses the extent to which these legal grounds meet the requirements of Article 5 AVG mentioned above. The article then addresses the key points of the DPC's decision, focusing on the inadequate provision of information to users and the lack of clarity about processing purposes. Finally, it discusses how these shortcomings are in line with the recent case of the European Court of Justice (the Court) in the case Royal Dutch Lawn Tennis Association t. AP, which sets strict requirements for the use of legitimate interest as a legal basis.

Judgment CJEU 4 October 2024, C-621/22(Royal Dutch Law Tennis Association v. Authority Persoonsgegevens) (hereinafter KNLTB v. AP)

Investigation into LinkedIn's processing practices
The study focuses on how LinkedIn processes users' personal data specifically for two purposes: behavioral analysis and targeted advertising. The platform processes both data that users provide directly (first-party data) and data it obtains from third parties.

LinkedIn creates user profiles by collecting and analyzing data based on data provided (e.g., name, job title, and work experience) as data the platform derives from user interactions. The purpose of these profiles is to personalize the platform and predict user preferences in order to display more relevant content and advertisements. LinkedIn combines user data such as work experience and interests with data obtained through activities on the platform in order to enhance these analyses.

Essence of the complaint and key questions of the investigation
La Quadrature Du Net' s complaint concerns possible violations of the AVG by LinkedIn, including the lack of a valid legal basis for processing personal data for behavioral analysis and targeted ads. The DPC investigates whether LinkedIn has a valid legal basis, such as consent, contractual necessity or legitimate interest, and whether users are adequately informed about the purpose of the processing. The DPC finds that LinkedIn fails in this regard.

DPC decision: unlawful, improper and non-transparent processing

The DPC argues that LinkedIn has no valid legal basis for processing personal data for behavioral analysis and targeted ads:

1. LinkedIn requests consent, but the DPC rules that it does not meet the requirements for valid consent, namely: freely given, specific, informed and unambiguous. For example, users are not adequately informed of the purpose of data processing.

   Article 6(1)(a) joins Article 4(11) AVG.

2. LinkedIn cites legitimate interest in processing user data for behavioral analysis and advertising. However, the DPC finds that users' interests and rights take precedence over LinkedIn's commercial interests.

   Article 6(1)(f) AVG.

3. LinkedIn claims the processing is necessary to perform the service that was offered to users, but the DPC finds that the necessity has not been clearly or convincingly demonstrated. The DPC believes that these processing activities are not strictly necessary to provide LinkedIn's core functionality.

   Article 6(1)(b) AVG.

In addition, the DPC alleges that LinkedIn does not adequately inform its users about the reasons why their data is collected and processed. According to the regulator, LinkedIn is missing crucial information about the legal grounds for such processing, in violation of Articles 13 and 14 of the AVG.

Article 13(1)(c) and Article 14(1)(c) AVG.

Finally, the regulator concludes that LinkedIn improperly processes data.

Article 5(1)(a) AVG.

LinkedIn received a reprimand for failing to comply with the regulation's requirements.

Article 58(2)(b) AVG.

The KNLTB case and legitimate interest.
The Court's recent decision in the case Royal Dutch Lawn Tennis Association t. AP affirms the DPC's findings on specifically the "legitimate interest" basis in several respects. First, the Court states that the controller must pursue a legitimate interest that need not be established by law, but must be legitimate. The Court recognizes a wide range of legitimate interests, including commercial interests.

KNLTB v. AP, paragraphs 37 - 40 of law.

Second, the processing must be necessary to satisfy the legitimate interest. The Court emphasizes that alternatives less intrusive to the rights of data subjects must be considered.

KNLTB v. AP, paragraphs 42 - 43 of law.

Third, the interests of data subjects must not outweigh the legitimate interest of the controller. Here, the reasonable expectations of data subjects must be taken into account. Data subjects' interests explicitly outweigh the controller's interests when personal data are processed in circumstances where data subjects do not reasonably expect such processing.

KNLTB v. AP, paragraphs 44 - 45 of law.

The DPC's findings are closely aligned with the above considerations. Indeed, the DPC finds that LinkedIn bases its processing activities on, among other things, the legitimate interest basis, but in doing so fails to provide data subjects with clear information about the purposes of the processing. By not providing transparency, data subjects do not have realistic expectations about how and why their data is processed. The lack of clear and specific information increases the discrepancy between users' expectations and actual processing practices. Therefore, according to the DPC, the interests of data subjects outweigh those of LinkedIn.

Conclusion
The DPC's decision in the case against LinkedIn highlights the platform's failure to comply with its obligations under the AVG when processing personal data for behavioral analysis and deploying targeted ads. The DPC finds that LinkedIn does not meet the requirements of a valid legal basis, including consent, a contractual necessity or a legitimate interest. The reliance on legitimate interest fails because the interests and expectations of data subjects outweigh LinkedIn's commercial interests.

It also lacks sufficient transparency, as LinkedIn does not clearly inform its users about the purposes and legal grounds for processing. This constitutes a violation of Articles 13 and 14 of the AVG.

Finally, the lack of a legal basis and the lack of transparency leads LinkedIn to violate the principles of lawfulness, fairness and transparency from Article 5 AVG. Without a valid legal basis, personal data are not processed in a way that is lawful with respect to data subjects. Personal data are also processed in a way that is not proper with respect to data subjects. By failing to comply with the transparency obligations, LinkedIn is creating a situation where data subjects are not sufficiently informed to understand what is happening with their personal data and how it affects them. This affects their ability to exercise control over their personal data.

The fine reflects the importance of transparency to data subjects about processing purposes, as also confirmed by the Court in Royal Dutch Lawn Tennis Association v. AP. Without adequate transparency, the lawfulness of processing cannot be established. This decision serves as a warning to platforms carrying out similar processing activities, and highlights the need to ensure strict compliance with the obligations of the AVG.