Microsoft has escaped the scrutiny experienced by Facebook, because the company is not a social media, with access to sensitive data, like contacts and so forth.
But let's not forget that Microsoft owns LinkedIn, the social media dedicated for businesses and alike. And this time, LinkedIn faces probe as it used 18 million non-users' email addresses to target them with Facebook ads.
The Irish Data Protection Commissioner (DPC) discovered this after following a complaint from a user in 2017 over LinkedIn’s practices regarding people who were not members of the social network.
This led it in finding LinkedIn guilty for violating the privacy of non-users by processing their data without their consent.
LinkedIn USA had been found to process hashed email addresses of those 18 million non-LinkedIn users, and target them individually using Facebook, with the absence of instruction from LinkedIn Ireland which is affected by the EU's GDPR.
Microsoft has been said to target these non-users with Facebook ads to encourage them to sign up to the business-oriented social media
According to DPC, which covered LinkedIn's activities in the first six months of 2018, the issue was “amicably resolved." And that "with LinkedIn implementing a number of immediate actions to cease the processing of user data for the purposes that gave rise to the complaint."
Since the DPC found this privacy violation, it decided to conduct further audits since it "concerned with the wider systemic issues identified" in the initial investigation.
And again LinkedIn was found guilty when it also applied its social graph-building algorithms to build networks to suggest professional networks for users, or "undertaking pre-computation," as the DPC described it.
The idea here was build up suggested networks of compatible professional connections to help users overcome the hurdle of having to build networks from scratch.
"As a result of the findings of our audit, LinkedIn Corp was instructed by LinkedIn Ireland, as data controller of EU user data, to cease pre-compute processing and to delete all personal data associated with such processing prior to 25 May 2018," wrote the DPC.
That date was the day that GDPR came into force.
LinkedIn’s Head of Privacy, EMEA, Denis Kelleher, said that:
Here, LinkedIn clearly apologized for its wrongdoing.
The case follows a list of investigation that have been reported concerning user data on Facebook and WhatsApp, as well as the Yahoo! breach which affected millions. Microsoft and its properties have escaped GDPR and scrutiny before, but seems that it failed this one.
LinkedIn isn't the first, and won't be the last company to "ask for forgiveness, not permission," when it comes to pushing the boundaries of what is permissible.