An investigation by Ireland's Data Protection Commission (DPC) found that LinkedIn processed hashed email addresses for approximately 18 million non-LinkedIn users and directed those individuals to Facebook without the necessary permission, a new report revealed.
The investigation covered the activities of Microsoft's professional networking platform during the first six months of 2018, The Verge reported on Saturday.
In its report published on Friday, DPC concluded that it has completed its audit of LinkedIn Ireland Unlimited Company (LinkedIn) regarding the processing of personal data following an investigation of a complaint notified to DPC by a non-LinkedIn user.
The claim related to LinkedIn's obtaining and using the claimant's email address for targeted advertising purposes on Facebook.
The investigation revealed LinkedIn Corporation in the US did not have the necessary permission of the data controller – LinkedIn Ireland – to process hashed email addresses of 18 million non-LinkedIn members.
The complaint was finally settled amicably with LinkedIn implementing a series of immediate actions to cease processing user data for the purposes that gave rise to the complaint, the DPC said in its report.
However, the agency was "concerned about the broader systemic issues identified" in its report and conducted a second audit to see if LinkedIn had "adequate technical and technical security measures".
DPC found that the site was "pre-calculating a suggested professional network for non-LinkedIn members" and ordered that they stop and delete associated data that existed before May 25 of this year, the day on which Regulation General of Data Protection (GDPR) has entered into force.
"We appreciate the 2017 DPC's investigation into a complaint about an advertising campaign and full collaboration," Denis Kelleher, privacy director for LinkedIn Europe, Middle East and Africa, told TechCrunch in a statement.
"Unfortunately, the strong processes and procedures that we have in place have not been fulfilled and therefore we feel very sorry. We take appropriate action and we improve the way we work to ensure this does not happen again, "Kelleher said.
As TechCrunch pointed out, LinkedIn was not fined this process because, until the implementation of GDPR in late May, the regulator had no power to impose fines. It's still unclear how LinkedIn got those 18 million email addresses.
First published: November 26, 2018 1:02 PM IST