The administrative penalties, which are worth around $335 million at current exchange rates, have been issued by Ireland’s Data Protection Commission (DPC) under the European Union’s General Data Protection Regulation (GDPR). The regulator found a raft of breaches, including beaches to the lawfulness, fairness and transparency of its data processing in this area.

The GDPR requires that uses of people’s information have a proper legal basis. In this case, the justifications LinkedIn had relied upon to run its tracking ads business were found to be invalid. It also did not properly inform users about its uses of their information, per the DPC’s decision.

LinkedIn had sought to claim (variously) “consent”-, “legitimate interests”- and “contractual necessity”-based legal bases for processing people’s information — when obtained directly and/or from third parties — to track and profile its users for behavioral advertising. However, the DPC found none were valid. LinkedIn also failed to comply with the GDPR principles of transparency and fairness.

  • NaibofTabr@infosec.pub
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    25 days ago

    Well… look, I’m all for punishing white collar crime, we should do more of that, but I’d much rather incentivize preventing this kind of thing in the first place than punishing people after the fact.

    Taking away the revenue (remember revenue means all the income, not just the profit) from criminal behavior does that, because it means the business risks financial collapse.

    For instance, in this case if LinkedIn’s EU ad sales department violated EU law, then all revenue from the EU ad sales department should be forfeit, for the entire time period during which the violation occurred.

    This would be a lot more effective than threatening rich people with jail time, because rich people can always make a deal to serve their time in a nice facility or house arrest or something. Instead, we threaten to wipe out the business financially.

    • P1nkman@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      24 days ago

      Oh, I totally agree, but if we use the example in the article, how would the EU be able to prove LinkedIn’s revenue? These companies are shifting their money around so they don’t have to pay tax.

      • NaibofTabr@infosec.pub
        link
        fedilink
        English
        arrow-up
        2
        ·
        24 days ago

        Ah, hah, I’m glad you asked, I have thoughts on that too.

        Auditing. The government (every government) should employ a team of auditors. In a case like this, the auditors will be attached to the offending company for the purpose of reviewing their operational and financial records. The auditors will be part of (inside of) the company operations for as long as it takes to untangle the details and assess the total sum of revenue gained from the illegal activity, and if that interferes with running the business well that’s too effing bad.

        While the auditing is ongoing, the company will be responsible for paying the auditors’ salaries and expenses, and providing office space and whatever other resources they need. There will also be a representative of the auditors assigned to the executive board, present at all board meetings, with voting and veto privileges. Effectively, the company is on probation and under observation until their debt is paid. Any other violations discovered during the audit will result in additional prosecutions.

        If the company finds this too burdensome, or if they have tried to obfuscate their records, then they can simply forfeit the revenue of the entire department/operational area in order to expedite the audit.