Insights

Insights


Latest News

    Trending Topics

      Futures

      Products


      Brand Protection

      IP Intelligence

      Litigation Analysis

      Case Management

      Nunc Orci


      Products Case Studies

      People

      Careers

      About

      Announcements

      • About Us
      • The Rouse Network
      • The Rouse Difference
      • Rouse Connect

      Grass Roots

      • Climate Change
      • Mitrataa
      • Rouse Cares

      ClientWEB

      Thank You

      Your are now register subscriber for our Rouse

      Significant GDPR Enforcement in Ireland

      Published on 13 Nov 2024 | 1 minute read
      Multimillion euro fines issued to Meta and LinkedIn

      For those with an interest in data privacy matters, Ireland has recently been a focal point of activity in this area. In September and October 2024, the Irish Data Protection Commission (DPC) issued two significant rulings, concerning Meta Platforms Limited (MPIL) and LinkedIn Ireland Unlimited Company (LinkedIn), which have resulted in fines of millions of euros.

      The case concerning MPIL originated in 2019 when MPIL disclosed that user passwords had been stored in plain text on internal systems without encryption. The scope of the inquiry assessed MPIL’s GDPR compliance and whether the company had implemented appropriate security measures to safeguard password data.

      According to the DPC, MPIL had violated multiple GDPR requirements; it failed to notify the DPC of the said breach (Art. 33.1), it did not document the breach (Art. 33.5), and it lacked adequate security measures for password protection (Art. 5.1.(f) and 32.1).

      As this issue concerned the sensitive nature of password data, the Deputy Commissioner emphasized the importance of secure encryption, noting the high risk of abuse when data is stored in plain text, underscoring the importance of adequate technical and organizational safeguards. The ruling imposed on the company a formal reprimand and a 91 million euro fine.

      The LinkedIn inquiry examined LinkedIn’s processing of member data for the purposes of behavioural analysis and targeted advertising. During the investigation, it was found that LinkedIn failed to meet multiple GDPR requirements (including Article 6.1 amongst others), as the consent obtained from third parties for behavioural analysis and targeted advertising was insufficiently informed, specific, and unambiguous. It also found that LinkedIn could not rely on legitimate interests for processing personal data for the said purposes, as its interests were outweighed by the interests and fundamental rights and freedoms of the data subjects. Moreover, LinkedIn lacked contractual necessity to process the data of its members for these purposes.

      Additionally, the GDPR infringements also included deficiencies in the information LinkedIn provided to its members regarding its lawful basis for data processing (Art. 13.1(c) and Art. 14.1(c)), along with violations of the principle of fairness (Art. 5.1.(a)). The Deputy Commissioner highlighted that the lawful basis for processing personal data is essential in data protection law; processing without it is a serious violation of an individual’s fundamental right to data protection.

      In light of this, the decision resulted in a formal reprimand and a fine of 310 million euro for LinkedIn.

      These decisions reinforce the essential importance of lawful data processing under the GDPR, and the rigorous standards organizations must maintain to protect user data and rights. This message is particularly relevant, though not limited to social media platforms, as their business models rely heavily on the collection and processing of member data.

      30% Complete
      Associate, Legal Counsel
      +46 076 0107192
      Associate, Legal Counsel
      +46 076 0107192