- cross-posted to:
- technology@lemmy.zip
- cross-posted to:
- technology@lemmy.zip
The administrative penalties, which are worth around $335 million at current exchange rates, have been issued by Ireland’s Data Protection Commission (DPC) under the European Union’s General Data Protection Regulation (GDPR). The regulator found a raft of breaches, including beaches to the lawfulness, fairness and transparency of its data processing in this area.
The GDPR requires that uses of people’s information have a proper legal basis. In this case, the justifications LinkedIn had relied upon to run its tracking ads business were found to be invalid. It also did not properly inform users about its uses of their information, per the DPC’s decision.
LinkedIn had sought to claim (variously) “consent”-, “legitimate interests”- and “contractual necessity”-based legal bases for processing people’s information — when obtained directly and/or from third parties — to track and profile its users for behavioral advertising. However, the DPC found none were valid. LinkedIn also failed to comply with the GDPR principles of transparency and fairness.
I always feel like the solution is to make this sort of thing unprofitable. Rather than just having a cost-of-doing-business fine, the company should have to forfeit all revenue generated by the illegal activity. The fine should then be assessed in addition to the revenue forfeiture, making it a real penalty rather than a wrist-slap.
Businesses operate on cost-benefit analyses and risk assessments. If violating the privacy regulation risks the loss of all revenue for the ad business, they won’t do it.