Ireland’s Data Protection Commissioner (DPC) found LinkedIn violated data protection rules by using 18 million email addresses of non-members to target them with ads on Facebook.

The ruling is contained in a wide ranging report published last week, and relates to the period leading up to the introduction of Europe’s General Data Protection Regulation (GDPR) on May 25, 2018.

Following a complaint from a non-LinkedIn user in 2017 the DPC audited LinkedIn. The investigation found, LinkedIn Corp in the US — LinkedIn Ireland’s data processor — had processed hashed email addresses of approximately 18 million non-LinkedIn members and targeted these individuals on the Facebook platform without instruction from the data controller, LinkedIn Ireland.

LinkedIn avoided a fine and the complaint was “amicably resolved” with the professional networking site implementing a number of immediate actions “to cease the processing of user data for the purposes that gave rise to the complaint”.

That investigation then led the DPC to conduct a further audit to verify that LinkedIn had in place appropriate technical security and organisational measures, particularly for its processing of non-member data and its retention of such data.

That audit found LinkedIn Corp was “undertaking the pre-computation of a suggested professional network for non-LinkedIn members”.

“LinkedIn Corp was instructed by LinkedIn Ireland, as data controller of EU user data, to cease pre-compute processing and to delete all personal data associated with such processing prior to 25 May 2018,” the report stated.

Ad tech troubles

In other GDPR related news, last week the French data watchdog issued a warning to a local ad tech player, which could have much wider implications for the digital advertising ecosystem.

The Commission Nationale de l’Informatique et des Libertés, or CNIL, ruled that Vectuary, a  French DSP was harvesting data on almost 70 million people, across 32,000 apps, without their consent.

The ruling was made in late October and published on the CNIL website earlier this month.  It was picked up by international trade media and ad tech executives who deciphered the French legal document.

The company now has three months to comply with GDPR, including deleting any data it gathered without proper consent. Digiday, AdExchanger and TechCrunch have further analysis on the decision.

Previous post

The battle to be the Amazon (or Netflix) of transport

Next post

How digital technology is reshaping CX and operations in the utility sector

Join the digital transformation discussion and sign up for the Which-50 Irregular Insights newsletter.