Microsoft's LinkedIn professional networking app has admitted to using the email addresses of 18 million non-members in a "non-transparent" manner. LinkedIn confessed to the transgression after it was called out in a report from Ireland's Data Protection Commissioner (DPC) that was released on Friday (via TechCrunch). The DPC report covered the first half of 2018.
Stemming from a single complaint made in 2017, an investigation found that LinkedIn was using the 18 million email addresses to get more people to sign up for the service. The DPC found that LinkedIn in the U.S. had acquired the 18 million email addresses of non-members, and used them in hashed form to place targeted ads on Facebook's platform. According to the report, LinkedIn U.S. did this without instructions from LinkedIn Ireland, which was the subsidiary that actually controlled the data.
Facebook moved control of 1.5 billion subscribers from Ireland to the U.S. roughly a month before Europe's harsher regulations were scheduled to kick in.The reason why this caught the eye of the DPC was that just prior to the date when Europe's tighter General Data Protection Regulations (GDPR) were going to take effect, LinkedIn moved some data processing from Ireland to the U.S. Not that LinkedIn was alone in making such a move to avoid the new regulations.
The report says that LinkedIn "amicably resolved" the complaint and stopped employing user data in the manner that resulted in the complaint. However, further investigation revealed that LinkedIn was using personal data to recommend personal networks for users. Linked in stopped this practice as well.
LinkedIn was lucky that the GDPR rules were not in effect at the time that it was using these email addresses and personal data. Companies that are found to violate GDPR rules can be fined 4% of Global revenues.