LinkedIn changes gen-AI training plans after data watchdog intervenes

Earlier this year, LinkedIn outlined plans to start using public posts, comments and user profile data – including names, photos, roles and skills – for “generative AI improvement” from 3 November. The social media company envisaged processing of user data dating back to 2003 and that users who did not want their data to be processed would have to actively opt out to avoid this from happening. Some EU data protection authorities raised concern with the plans, however, including the Autoriteit Persoonsgegevens (AP) in the Netherlands.

The lead authority responsible for supervising LinkedIn’s compliance with EU data protection laws is the Irish Data Protection Commission (DPC), since LinkedIn has its European headquarters in Ireland. It raised its own concerns with the company – and made “recommendations to address the potential negative impact its plans could have on the data protection rights of individuals” – after reviewing “data protection documentation” the company shared with it.

According to the DPC, LinkedIn has now agreed to make changes to its plans. These include issuing “improved transparency notices” to enable users to better “understand the personal data LinkedIn will process to train its AI models and their ability to opt out” and reducing the type of personal data it will use for training its gen-AI models, “both in terms of the personal data to be used and the time period from which it proposed to draw the data”.

Further changes LinkedIn has agreed to apply include measures to prevent children’s data being used in the training and filters to stop other sensitive data from being collected. The company has also agreed to share “more detailed risk assessments and other required documentation under the GDPR”, according to the DPC, which added that the company will report back on how effective and appropriate “the measures and safeguards” are within five months.

Dublin-based data protection law expert Andreas Carney of Pinsent Masons said: “On the face of it, this looks like an example of where engagement with the DPC in advance of launch has worked to the benefit of both the DPC and LinkedIn. The DPC is open to engagement before controllers undertake material changes to their processes or customer engagement that may have a compliance impact – it’s always worth considering an approach to avoid speed bumps further down the road.”

“The action that LinkedIn has agreed to take reflect general issues of compliance that the DPC has been focused on for some time, such as around transparency, data minimisation, purpose creep and the protection of minors,” he said.

The DPC said: “The DPC has not approved, or found compliant, LinkedIn’s use of users’ personal data for generative AI model training. However, the additional measures implemented by LinkedIn have sufficiently addressed the DPC’s concerns such that further regulatory intervention is not considered necessary at present. The DPC will continue to monitor LinkedIn’s GDPR compliance and will exercise further regulatory powers if necessary.”

LinkedIn was fined €310 million by the DPC last year for breaching the GDPR when processing personal data of its registered users for marketing and analytic purposes.