beebom T:~# posts/linkedin-ran-facebook-ads-targeting-18-million-non-members/

LinkedIn Ran Facebook Ads Targeting 18 Million Non-Members

Nov. 26, 2018

An investigation by Ireland’s Data Protection Commission (DPC) found thatLinkedInhad processed hashed email addresses of approximately 18 million non-LinkedIn members and targeted these individuals on Facebook without necessary permission, a new report has revealed.

In its report published on Friday, DPC said that it concluded its audit of LinkedIn Ireland Unlimited Company (LinkedIn) in respect of its processing of personal data following an investigation of a complaint notified to the DPC by a non-LinkedIn user.

The complaint concerned LinkedIn’s obtaining and use of the complainant’s email address for the purpose of targeted advertising on the Facebook.

The investigation revealed that that LinkedIn Corporation in the US did not have the required permission from the data controller – LinkedIn Ireland — to process hashed email addresses of 18 million non-LinkedIn members.

The complaint was ultimately “amicably resolved”, with LinkedIn implementing a number of immediate actions to cease the processing of user data for the purposes that gave rise to the complaint, DPC said in its report.

However, the body was “concerned with the wider systemic issues identified” in its report, and undertook a second audit to see if LinkedIn had adequate “technical security and organisational measures.”

DPC found that the site was “undertaking the pre-computation of a suggested professional network for non-LinkedIn members,” and ordered them to stop and delete associated data that existed prior to May 25 of this year, the day when General Data Protection Regulation (GDPR) came into effect.

“Unfortunately the strong processes and procedures we have in place were not followed and for that we are sorry. We’ve taken appropriate action, and have improved the way we work to ensure that this will not happen again,” Kelleher said.

As TechCrunch pointed out LinkedIn did not get fined in this process because until the implementation of GDPR at the end of May, the regulator had no power to enforce fines.