The administrative penalties, which are worth around $335 million at current exchange rates, have been issued by Ireland’s Data Protection Commission (DPC) under the European Union’s General Data Protection Regulation (GDPR). The regulator found a raft of breaches, including beaches to the lawfulness, fairness and transparency of its data processing in this area.

The GDPR requires that uses of people’s information have a proper legal basis. In this case, the justifications LinkedIn had relied upon to run its tracking ads business were found to be invalid. It also did not properly inform users about its uses of their information, per the DPC’s decision.

LinkedIn had sought to claim (variously) “consent”-, “legitimate interests”- and “contractual necessity”-based legal bases for processing people’s information — when obtained directly and/or from third parties — to track and profile its users for behavioral advertising. However, the DPC found none were valid. LinkedIn also failed to comply with the GDPR principles of transparency and fairness.

  • kambusha@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    8
    ·
    11 days ago

    Just jail the CEO. Maybe their salary will finally be justified, if they’re willing to take the risk.

    • NaibofTabr@infosec.pub
      link
      fedilink
      English
      arrow-up
      6
      ·
      11 days ago

      Thing is, if the profit is high enough and the golden parachute is good enough then a business could probably find someone to take the fall as the CEO for them. Losing the CEO won’t end the business or their exploitative behavior.

      • P1nkman@lemmy.world
        link
        fedilink
        English
        arrow-up
        7
        ·
        11 days ago

        Board of Directors. Entire C-suite on trial. People with 10% or more ownership of shares. That would change things.

        Oh, emails were deleted and couldn’t be recovered? CTO is at fault. Skip start, go straight to jail.

        • NaibofTabr@infosec.pub
          link
          fedilink
          English
          arrow-up
          3
          ·
          edit-2
          11 days ago

          Well… look, I’m all for punishing white collar crime, we should do more of that, but I’d much rather incentivize preventing this kind of thing in the first place than punishing people after the fact.

          Taking away the revenue (remember revenue means all the income, not just the profit) from criminal behavior does that, because it means the business risks financial collapse.

          For instance, in this case if LinkedIn’s EU ad sales department violated EU law, then all revenue from the EU ad sales department should be forfeit, for the entire time period during which the violation occurred.

          This would be a lot more effective than threatening rich people with jail time, because rich people can always make a deal to serve their time in a nice facility or house arrest or something. Instead, we threaten to wipe out the business financially.

          • P1nkman@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            11 days ago

            Oh, I totally agree, but if we use the example in the article, how would the EU be able to prove LinkedIn’s revenue? These companies are shifting their money around so they don’t have to pay tax.

            • NaibofTabr@infosec.pub
              link
              fedilink
              English
              arrow-up
              2
              ·
              11 days ago

              Ah, hah, I’m glad you asked, I have thoughts on that too.

              Auditing. The government (every government) should employ a team of auditors. In a case like this, the auditors will be attached to the offending company for the purpose of reviewing their operational and financial records. The auditors will be part of (inside of) the company operations for as long as it takes to untangle the details and assess the total sum of revenue gained from the illegal activity, and if that interferes with running the business well that’s too effing bad.

              While the auditing is ongoing, the company will be responsible for paying the auditors’ salaries and expenses, and providing office space and whatever other resources they need. There will also be a representative of the auditors assigned to the executive board, present at all board meetings, with voting and veto privileges. Effectively, the company is on probation and under observation until their debt is paid. Any other violations discovered during the audit will result in additional prosecutions.

              If the company finds this too burdensome, or if they have tried to obfuscate their records, then they can simply forfeit the revenue of the entire department/operational area in order to expedite the audit.

      • kambusha@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        3
        ·
        11 days ago

        Tbh, you’re probably right. It’s the same reason that solar finally is seeing an uptick, and how cryptography works. Solar makes financial sense now, and cryptography is all just about how much money you would need to spend to crack a password.

        • NaibofTabr@infosec.pub
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          11 days ago

          This is really it. Businesses are about making money. If you want to change the way businesses behave, you have to change the financial incentives. You can condemn the capitalist greed motivation if you want, but that really only amounts to moralistic posturing, it doesn’t accomplish anything practical. It’s more useful to understand how businesses make decisions, and then adjust rules to incentivize the behavior you want and disincentivize the behavior you don’t want.

          An ounce of prevention is worth a pound of cure.