A report by Irelands Data Protection Commissioner has found that LinkedIn breached data protection guidelines by using consumer email addresses in an inappropriate manner. The investigation found that around 18m consumers were targeted using data they had not permitted LinkedIn to use.

LinkedIn, the Microsoft-owned professional networking platform, has faced criticism before for its ability to suggest connections that would seem beyond the scope of its data. Now, the report by the Irish Data Protection Commissioner (DPC), which covers early 2018 up to the implementation of GDPR, has detailed an investigation with concrete evidence of the platform using data in a non-transparent manner.

The investigation came about following a complaint from a user in 2017, regarding LinkedIns practices when it came to advertising to consumers who were not members of the platform. It emerged that as part of moving its data processing from Ireland to the US, LinkedIn had obtained email addresses for around 18m people in the US who were not already members. That data was then used to target advertisements via Facebooks ad platform “with the absence of instruction from the data controller”, in this case, LinkedIn Ireland.

While the DPC felt that this issue was “ultimately amicably resolved, with LinkedIn implementing a number of immediate actions to cease the processing of user data for the purposes that gave rise to the complaint”, the  DPC decided to conduct a further audit looking into “wider systemic issues” that were identified during the initial investigation.

As part of this second investigation, it found that LinkedIn was also applying its social graph-building algorithms to build networks of suggested contacts for consumers ahead of them joining LinkedIn, with the idea that this “pre-computation” would ease the on-boarding process for new members. However, this again was carried out without the consent of these consumers or LinkedIn Ireland.

“As a result of the findings of our audit, LinkedIn Corp was instructed by LinkedIn Ireland, as data controller of EU user data, to crease pre-compute processing and to delete all personal data associated with such processing prior to 25 May 2018.”

While the report answers some questions about LinkedIns processes, and suggests that they have changed them in the wake of the investigation, it does not reveal precisely how LinkedIn obtained the 18m non-member email addresses. Given that it only covers up to the implementation of GDPR, it also hasnt resulted in a fine for the firm, which a post-GDPR violation could well do.

“We appreciate the DPCs 2017 investigation of a complaint about an advertising campaign and fully cooperated,” said Denis Kelleher, head of privacy for EMEA at LinkedIn, in a statement regarding the reports findings. “Unfortunately the strong processes and procedures we have in place were not followed and for that we are sorry. Weve taken appropriate action, and have improved the way we work to ensure that this will not happen again. During the audit, we also identified one further area where we could improve data privacy for non-members and we have voluntarily changed our practices as a result.”