EU Targets Persona-LinkedIn for Systemic GDPR Violations
Data protection authorities in Ireland, France, Germany, and the Netherlands have opened coordinated investigations into the Persona-LinkedIn biometric verification pipeline for alleged violations of GDPR Articles 5, 6, 9, 17, 44, and 46. The investigation, coordinated under the GDPR one-stop-shop mechanism with the Irish DPC as lead authority, focuses on four areas: unlawful processing of biometric data as special category data without explicit consent (Article 9), failure to delete data within stated retention periods (Article 17), inadequate legal basis for international data transfers to US-based Persona servers (Articles 44-46 post-Schrems II), and failure to conduct a Data Protection Impact Assessment for high-risk biometric processing (Article 35). Combined fine exposure across all identified violations exceeds 2.4 billion euros based on LinkedIn global revenue.
Scope of Investigation
The coordinated investigation covers all LinkedIn users in the European Economic Area who completed Persona identity verification since the program launch in July 2024. An estimated 3.8 million EEA users completed verification, with biometric templates transferred to Persona US-based servers in AWS us-east-1 region. The Irish DPC investigation focuses on LinkedIn Ireland Limited as data controller, while the French CNIL, German BfDI, and Dutch AP are pursuing complementary investigations into Persona as data processor under GDPR Article 28. The investigations were triggered by 247 coordinated complaints filed through noyb (None Of Your Business), the privacy advocacy organization founded by Max Schrems.
Key Legal Issues
The investigations center on four GDPR violations. First, biometric data constitutes special category data under Article 9, requiring explicit consent — distinct from the general consent LinkedIn obtained for platform use. Second, the 14-month data retention documented through DSARs violates Article 17 right to erasure and Article 5(1)(e) storage limitation. Third, post-Schrems II, transfers of biometric data to US servers require supplementary measures beyond Standard Contractual Clauses, which neither LinkedIn nor Persona has implemented. Fourth, neither company completed a mandatory Data Protection Impact Assessment under Article 35(3)(b) for systematic biometric processing on a large scale.
Financial Exposure
Under GDPR Article 83(5), violations of Articles 5, 6, and 9 carry maximum fines of 4% of total worldwide annual turnover or 20 million euros, whichever is greater. LinkedIn parent company Microsoft reported $211 billion in revenue for fiscal year 2024, creating a theoretical maximum fine of $8.44 billion per violation category. Even conservative estimates based on precedent DPA fines suggest combined exposure exceeding 2.4 billion euros. The Irish DPC Meta fine of 1.2 billion euros in May 2023 for illegal US data transfers establishes a precedent directly applicable to the LinkedIn-Persona data flows.
Key Findings
- 3.8 million EEA users biometric data transferred to US servers
- 247 coordinated complaints filed through noyb
- No Data Protection Impact Assessment conducted
- Combined fine exposure exceeds 2.4 billion euros
Timeline
LinkedIn launches Persona verification in EU markets
247 coordinated noyb complaints filed across 4 jurisdictions
Coordinated investigation formally announced by 4 DPAs
Irish DPC issues preliminary findings