An investigation by Ireland’s Data Protection Commission (DPC) found that LinkedIn had processed hashed email addresses of approximately 18 million non-LinkedIn members and targeted these individuals on Facebook without necessary permission, a new report has revealed.
The investigation covered the activities of the Microsoft-owned professional networking platform during the first six months of 2018. It is still not clear how LinkedIn got hold of those 18 million email addresses.
In its report published on Friday, DPC said that it concluded its audit of LinkedIn Ireland Unlimited Company (LinkedIn) in respect of its processing of personal data following an investigation of a complaint notified to the DPC by a non-LinkedIn user.
The complaint concerned LinkedIn’s obtaining and use of the complainant’s email address for the purpose of targeted advertising on the Facebook.
The investigation revealed that that LinkedIn Corporation in the US did not have the required permission from the data controller – LinkedIn Ireland — to process hashed email addresses of 18 million non-LinkedIn members.
The complaint was ultimately “amicably resolved”, with LinkedIn implementing a number of immediate actions to cease the processing of user data for the purposes that gave rise to the complaint, DPC said in its report.
However, the body was “concerned with the wider systemic issues identified” in its report, and undertook a second audit to see if LinkedIn had adequate “technical security and organisational measures.”
DPC found that the site was “undertaking the pre-computation of a suggested professional network for non-LinkedIn members,” and ordered them to stop and delete associated data that existed prior to May 25 of this year, the day when General Data Protection Regulation (GDPR) came into effect.
“We appreciate the DPC’s 2017 investigation of a complaint about an advertising campaign and fully cooperated,” Denis Kelleher, Head of Privacy, Europe, the Middle East and Africa, for LinkedIn, told TechCrunch in a statement.
“Unfortunately the strong processes and procedures we have in place were not followed and for that we are sorry. We’ve taken appropriate action, and have improved the way we work to ensure that this will not happen again,” Kelleher said.
As TechCrunch pointed out LinkedIn did not get fined in this process because until the implementation of GDPR at the end of May, the regulator had no power to enforce fines.