Microsoft’s LinkedIn professional networking app has admitted to using the email addresses of 18 million non-members in a “non-transparent” manner. LinkedIn confessed to the transgression after it was called out in a report from Ireland’s Data Protection Commissioner (DPC) that was released on Friday (via TechCrunch). The DPC report covered the first half of 2018.
Stemming from a single complaint made in 2017, an investigation found that LinkedIn was using the 18 million email addresses to get more people to sign up for the service. The DPC found that LinkedIn in the U.S. had acquired the 18 million email addresses of non-members, and used them in hashed form to place targeted ads on Facebook’s platform. According to the report, LinkedIn U.S. did this without instructions from LinkedIn Ireland, which was the subsidiary that actually controlled the data.
The reason why this caught the eye of the DPC was that just prior to the date when Europe’s tighter General Data Protection Regulations (GDPR) were going to take effect, LinkedIn moved some data processing from Ireland to the U.S. Not that LinkedIn was alone in making such a move to avoid the new regulations. Facebook moved control of 1.5 billion subscribers from Ireland to the U.S. roughly a month before Europe’s harsher regulations were scheduled to kick in.
The report says that LinkedIn “amicably resolved” the complaint and stopped employing user data in the manner that resulted in the complaint. However, further investigation revealed that LinkedIn was using personal data to recommend personal networks for users. Linked in stopped this practice as well.
“We appreciate the DPC’s 2017 investigation of a complaint about an advertising campaign and fully cooperated. Unfortunately the strong processes and procedures we have in place were not followed and for that we are sorry. We’ve taken appropriate action, and have improved the way we work to ensure that this will not happen again. During the audit, we also identified one further area where we could improve data privacy for non-members and we have voluntarily changed our practices as a result.”-Denis Kelleher, Head of Privacy, EMEA, LinkedIn
LinkedIn was lucky that the GDPR rules were not in effect at the time that it was using these email addresses and personal data. Companies that are found to violate GDPR rules can be fined 4% of Global revenues.