High Court - IEHC 235

Summary

The Irish High Court addressed preliminary issues in LinkedIn's appeal against the DPC's GDPR decision, specifically regarding the scope of appeal under sections 142 and 150 of the Data Protection Act 2018. The court ruled that section 142 only covers appeals against administrative fines, while other findings must be challenged under section 150.

Full text

Help High Court - IEHC 235: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 10:52, 22 May 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators49 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 10:52, 22 May 2026 High Court - IEHC 235 Court: High Court (Ireland) Jurisdiction: Ireland Relevant Law: Section 142 DPA 2018Section 150 DPA 2018 Decided: 20.04.2026 Published: Parties: Linkedin Ireland Unlimited Company Data Protection Commission National Case Number/Name: IEHC 235 European Case Law Identifier: Appeal from: DPALinkedIn inquiry Appeal to: Unknown Original Language(s): English Original Source: Bailii (in English) Initial Contributor: bms LinkedIn sought to appeal the DPC’s entire decision under section 142 DPA 2018, but the High Court held that this route covered only the fine, with the remaining findings falling under section 150. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The case arose from LinkedIn’s appeal against a decision of the Irish Data Protection Commission (“DPC”) dated 22 October 2024. In that decision, the DPC found that LinkedIn had infringed GDPR Articles 5(1)(a), 6(1), 13(1)(c) and 14(1)(c). The DPC imposed a reprimand, an order requiring LinkedIn to bring processing into compliance, and three administrative fines totalling €310 million. The underlying DPC inquiry followed a complaint lodged by La Quadrature du Net with the French supervisory authority, CNIL, on behalf of 8,540 LinkedIn users in France. The complaint concerned LinkedIn’s processing of personal data for behavioural analysis and targeted advertising. CNIL referred the matter to the DPC because LinkedIn Ireland was subject to the Irish supervisory authority in the context of cross-border processing. The DPC investigation lasted more than six years. The DPC first notified LinkedIn of the inquiry on 20 August 2018. After several requests for information, submissions, a preliminary draft decision, a draft decision under Article 60 GDPR and comments from concerned supervisory authorities, the DPC adopted its final decision on 22 October 2024. LinkedIn then brought a statutory appeal under sections 142 and 150 of the Data Protection Act 2018. It also issued judicial review proceedings challenging aspects of the statutory scheme under the Constitution, the Charter and the ECHR. The High Court judgment did not decide the merits of the DPC’s GDPR findings. Instead, it dealt with four preliminary issues about the structure and standard of appeal. The key dispute was whether LinkedIn could challenge the entire DPC decision under section 142, because that decision included a fine, or whether section 142 was limited to the fine only. LinkedIn argued for a broader, unitary appeal. The DPC and the State argued that section 142 applied only to the administrative fine, while infringement findings and non-fine corrective measures had to be challenged under section 150. Holding The High Court held that section 142 of the Data Protection Act 2018 only provides for an appeal against the DPC’s decision to impose an administrative fine. It does not allow LinkedIn to appeal the DPC’s infringement findings or the exercise of other corrective powers, such as a reprimand or compliance order, under that section. Those parts of the DPC decision must instead be appealed under section 150. The Court reasoned that the statutory scheme distinguishes between a decision on infringement and a further decision on corrective powers. In particular, sections 111, 112 and 113 require the DPC first to decide whether there was an infringement and then, “in addition”, decide whether to exercise corrective powers. Section 115 separately identifies the power to impose an administrative fine and makes that decision subject to Chapter 6 of the 2018 Act. The Court also held that appeals under section 142 are appeals “on the record”, but with the possibility that new evidence or new arguments may be admitted. The same standard applies to appeals under section 150. However, the Court accepted that deference may be appropriate where the issue falls within the DPC’s technical expertise. Finally, the Court rejected any blanket rule excluding new evidence or arguments in appeals under sections 142 or 150. Whether such material can be admitted is a matter for the discretion of the judge hearing the appeal. The burden may be lighter under section 142 because section 142(2) expressly refers to new evidence, but there is no automatic right to introduce a new case on appeal. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the English original. Please refer to the English original for more details. THE HIGH COURT [2026] IEHC 235 Record Number 2024/580 MCA IN THE MATTER OF SECTION 142 AND SECTION 150 OF THE DATA PROTECTION ACT 2018 Between LINKEDIN IRELAND UNLIMITED COMPANY Appellant and DATA PROTECTION COMMISSION Respondent JUDGMENT of Ms Justice Nessa Cahill delivered on 20 April 2026 INTRODUCTION.. 2 BACKGROUND.. 4 ISSUE 1: SCOPE OF SECTION 142. 8 (a) Summary of the Parties' Arguments. 8 (b) Relevant Provisions of the 2018 Act 9 (c) GDPR lang=EN-US style='font-family: "Times New Roman",serif;color:windowtext;display:none;text-decoration:none'>.. 23 (d) Conclusions on the interpretation of the statutory language. 26 (e) Absurdity Arguments 26 (i) Overlap between infringement and fine. 27 (ii) Orders under Section 143(3) 29 (iii) Consequences of separate appeals. 31 (iv) Content of the LinkedIn Decision. 33 ISSUE 2: INTERPRETATION OF SECTION 142. 35 (a) Preliminary. 35 (b) Inconsistency in statutory appeals. 36 (c) Categorising appeals. 40 (d) Understanding the categories. 42 (e) Interpretation of section 142. 49 (i) Language of section 142. 49 (ii) Positions of the parties. 51 (iii) Comparison with other legislation. 52 (iv) Conclusions on the interpretation of the statutory language. 68 (f) GDPR, Charter and ECHR. 73 (c) Curial Deference. 93 (i) Parties' positions. 93 (ii) Interaction between standard of review and curial deference. 94 (iii) Relevant authorities 94 (iv) Article 60. 96 ISSUE 4: ADMISSIBILITY OF NEW EVIDENCE AND ARGUMENT. 100 CONCLUSIONS. 106 INTRODUCTION 1. This judgment arises in the context of an appeal by the Appellant ("LinkedIn") from a decision of the Respondent ("the DPC") made on 22 October 2024 ("the LinkedIn Decision"), which was made pursuant to section 113(2)(a) of the Data Protection Act 2018 ("the 2018 Act") and Article 60 of Regulation 2016/679/EU ("the GDPR"). By that Decision, the DPC found that LinkedIn had infringed Articles 5(1)a, 6(1), 13(1)(c) and 14(1)c of the GDPR and that corrective powers should be exercised in the form of a reprimand, an order to bring processing into compliance and the imposition of three administrative fines, totalling €310 million. 2. This judgment addresses the rules governing an appeal to this Court under the Data Protection Act 2018 ("the 2018 Act"). Four issues were identified and agreed by the parties to be suitable and appropriate for preliminary trial. They each concern the interpretation of provisions of that Act. 3. While the questions raised are complex, they do arise and have been presented, largely independently of the facts of these proceedings and in the absence of any relevant factual conflict. For that reason, the background is briefly summarised to contextualise the issues raised but is not further examined. 4. The only truly salient facts are that the Data Protection Commission ("the DPC") conducted a six-year long investigation between 2018 and 2024, which culminated in a decision that LinkedIn had committed infringements of provisions of the General Data Protectio

Entities