Social media network LinkedIn processed the email addresses of 18 million non-members and targeted them with advertising on Facebook without permission, an audit by the Data Protection Commissioner has found.

The Data Protection Commissioner conducted an audit of the multinational LinkedIn Ireland, home to the company’s EU headquarters, after it became concerned with “systemic” issues in relation to how the company was processing the personal data of people who were not members of the network.

A non-LinkedIn user complained to the office that their email address had been obtained and used by the company for the purposes of targeted advertising on Facebook, the commissioner’s annual report outlines.

An investigation identified that LinkedIn Corp in the US, which processes data on behalf of LinkedIn Ireland, processed the email addresses of about 18 million non-LinkedIn members and targeted these individuals on the Facebook platform.

The addresses were uploaded to Facebook in a “hashed” or coded form which allowed Facebook to deliver ads to LinkedIn’s intended targets. The commissioner’s report said LinkedIn in the US had targeted the 18 million users on Facebook in the absence of instructions from LinkedIn in Ireland, which was the data controller.

“The complaint was ultimately amicably resolved, with LinkedIn implementing a number of immediate actions to cease the processing of user data for the purposes that gave rise to the complaint,” the commissioner said.

However, following on from this complaint, the DPC said it was concerned with the “wider systemic” issues identified and it commenced an audit to verify that LinkedIn had appropriate security measures in place, particularly for its processing of data about non-members.

“The audit identified that LinkedIn Corp was undertaking the pre-computation of a suggested professional network for non-LinkedIn members,” the report said.

“As a result of the findings of our audit, LinkedIn Corp was instructed by LinkedIn Ireland, as data controller of EU user data, to cease pre-compute processing and to delete all personal data associated with such processing prior to May 25th, 2018.”

On that date, the EU General Protection Regulation became enforceable. The commissioner’s annual report covers the period from January 1st to May 24th, when the old office of the Data Protection Commissioner ceased to exist. The new office, the Data Protection Commission, came into existence on May 25th.

Multinationals

Outlining its engagement with other multinationals with headquarters in Ireland, the commission said its examination of Facebook’s facial recognition facility was “ongoing”.

The office also concluded its investigation into the Yahoo (now Oath EMEA Ltd) data breach, which affected 500 million Yahoo user accounts in 2014 and reported to the DPC in September 2016.

“Based on its findings, the DPC notified Yahoo that it is required to take specified and mandatory actions to bring its data processing into compliance with EU data protection law and as given effect or further effect in Irish law,” the report said.

In the five months to May, the commission received 1,249 complaints, some 571 of which related to people having issues with getting access to the personal data held on them by organisations.

There were 1,198 data security breaches recorded.

In her foreword, Data Protection Commissioner Helen Dixon said she had travelled to San Francisco and the Bay area in March to meet a range of companies that are required to comply with the General Data Protection Regulation.

She said the trip was “useful” in gaining an understanding of the new law that were creating confusion for organisations.

“What was clear from the meetings was that consideration of many of the newer features of the GDPR were lower down the list of immediate priorities of organisations. What was equally clear is that the world’s most innovative companies have yet to come up with equally innovative solutions to deliver real personal data transparency and useful information to users, while delivering a positive user experience.”

In a statement, LinkedIn’s head of privacy for EMEA Denis Kelleher said: “We appreciate the DPC’s 2017 investigation of a complaint about an advertising campaign and fully cooperated. Unfortunately the strong processes and procedures we have in place were not followed and for that we are sorry .

“We’ve taken appropriate action, and have improved the way we work to ensure that this will not happen again. During the audit, we also identified one further area where we could improve data privacy for non-members and we have voluntarily changed our practices as a result.”