The European Commission Rises to Combat Predatory Use of Personal Data

The Irish data regulator’s recent case against LinkedIn, a major professional networking platform, may mark the start of a new season of scrutiny for those suspected of improper use of personal information. This pursuit is likely to be intensified by the Digital Services Act (DSA), which came into force in the EU on 25 August 2023. Additionally, regulatory shifts within the EU may affect oversight as former Internal Market Commissioner Thierry Breton stepped down in September, with Stéphane Séjourné set to assume the role from 1 December. These developments are unfolding amidst increasing usage of artificial intelligence (AI) to process personal data, integrating these results across platforms, alongside cyber threats from authoritarian regimes.

News broke on 24 October that the Irish Data Protection Commissioner (DPC Ireland), the EU’s leading regulator on personal data privacy, fined LinkedIn, a platform under the tech giant Microsoft, €310 million. The basis for the fine lay in LinkedIn's practices regarding targeted advertising. Notably, DPCI holds a prominent regulatory position in the EU on personal data privacy due to the fact that many top global internet companies are incorporated in Ireland, drawn by its favourable tax environment.

This is neither the first nor the largest such fine; in May 2023, the EU imposed a record €1.3 billion fine on Meta (the company behind Facebook) for data privacy violations, requiring the company to cease transferring EU users' personal information to the United States.

Returning to LinkedIn's case, DPC Ireland’s Deputy Commissioner Graham Doyle commented that “processing personal data without a legal basis is a clear and serious breach of the fundamental right to data protection,” as stated on the regulator’s official X (formerly Twitter) account. LinkedIn was not entirely surprised by this decision; earlier in 2023, Microsoft had acknowledged the possibility of its subsidiary facing a fine of up to €400 million from DPCI.

On the same day, LinkedIn released a statement acknowledging the case has been ongoing for six years but was cautious in admitting fault: “Today, the Irish Data Protection Commission (IDPC) issued its final decision regarding 2018 complaints over certain aspects of our digital advertising efforts in the EU. While we believe we comply with the General Data Protection Regulation (GDPR), we are working to align our advertising practices with this decision by the IDPC’s deadline.”

EU Internal Market Commissioner Thierry Breton, however, was far less restrained. Four months prior to the fine’s announcement, on 7 June, he remarked on LinkedIn's compliance: “After receiving a civil society complaint in March, we asked LinkedIn to clarify how they adhere to the DSA’s ban on targeted ads based on sensitive personal data, such as sexual orientation, political beliefs, or race. Consequently, LinkedIn voluntarily ceased the function. The Commission will ensure LinkedIn keeps its public promise to fully comply with the DSA. It’s promising to see the DSA prompting changes that no other law has achieved in Europe or beyond.”

Despite this, it seems some key provisions of the DSA, which were meant to guide large digital platforms well in advance, took some by surprise when they became enforceable on 25 August 2023. The LinkedIn case hints that not all major platforms, with user bases exceeding 45 million—the threshold for DSA applicability—have fully adapted to these requirements in time.

Breton’s expectations may have proved more optimistic than the resulting reality. However, the next steps won’t be his to take. On 16 September, Breton announced his immediate resignation in a letter to European Commission President Ursula von der Leyen, citing differing opinions with her as the reason. He later clarified that von der Leyen had approached French President Emmanuel Macron to propose a different candidate for the new Commission, which is expected to be operational by 1 December.

The reasons behind von der Leyen’s reluctance to continue with Breton remain unclear, but his successor, Stéphane Séjourné, will soon oversee the digital regulatory portfolio. Séjourné, who served as Foreign Minister in Prime Minister Gabriel Attal’s French government from January to September 2024, is known for his pro-European stance. As a former member of the European Parliament, he led the liberal pro-EU Renew Europe parliamentary group from 2021 to 2024, declining an offer to collaborate with the nationalist European Conservatives and Reformists (ECR) group in the new European Parliament in 2024.

What comes next? It seems European lawmakers and regulators will need to closely monitor the practices of major digital platforms within the EU and observe developments to the east. Ukraine’s experience is particularly instructive, with its highly digitalised state services requiring robust data protection measures against repeated cyberattacks by Russian intelligence. Georgia also offers insights, as the nation remains heavily influenced by Moscow and has likely seen Russian intelligence interference in recent elections through digital means.