A LinkedIn feature that the average non-paying user probably only glances at could end up setting a legal precedent in the EU for how companies handle customer data they have processed.
Take a look at your LinkedIn profile, if you have one, and you’ll see a space where you can view the profile’s viewers. For premium LinkedIn users, the list of people who visit their profile goes back 365 days and includes names, job title and employer, as well as a simple link to the person’s profile, unless they have turned off their visibility for privacy reasons.
What a premium LinkedIn user sees when viewing their profile visitors – Click to enlarge
Non-premium LinkedIn users, on the other hand, do not benefit from the same level of visibility on their profiles. If you don’t pay money every month to LinkedIn’s owner, Microsoft, for this privilege, you’ll just see things like “12 people found you via the homepage,” or that someone with a certain job title at a certain company was exploring your LinkedIn page.
What you’ll see on the profile viewers screen if you don’t have a paid LinkedIn account – Click to enlarge
Clicking on any item in the free user list will take you to a premium LinkedIn signup page or search results for employees of one of the aforementioned companies.
An anonymous LinkedIn user refused to accept this lower status and contacted Microsoft to exercise his right under Article 15 GDPR to a copy of his personal data processed by LinkedIn. “Processed” can mean a variety of things, including something as broad as simply hosting a particular type of information.
LinkedIn rejected the request on the grounds that the protection of this data was a priority. Now, data protection advocates from European privacy group Noyb (“It’s None of Your Business”) are getting involved.
“Selling data to its own users is a common practice among companies,” Noyb data protection lawyer Martin Baumann said about the case. “But in reality, people have the right to receive their own data for free.”
Take a look at the wording of Article 15, and it’s pretty clear: data subjects (i.e. users) have the right to a copy of all data relating to them that has been processed by the provider. A full list of profile visitors should apparently fall under Article 15 data – even if it is normally reserved for paid users and presented in a nicer way, it should still be accessible to free users who actually request it.
LinkedIn didn’t seem to believe it was doing anything wrong at all. In a clear denial of facts that are obviously obvious to any non-paying LinkedIn user, including the author and the two editors who worked on this story, a LinkedIn spokesperson told us: “Not only is it incorrect that only Premium members can see who has viewed their profile, but we also satisfy Article 15 of the GDPR by disclosing the information in question via our privacy policy. The first part of this statement is false, as you can see in the screenshot above. Given the obvious unreliability of this half of the statement, we wasted no time trying to evaluate the second part.
Noyb acknowledges that there is clearly legal limbo stuck in this corner of GDPR when it comes to premium service offerings.
“If a company processes an individual’s personal data, that information is generally covered by its right of access under the GDPR,” Baumann said. The register. “It doesn’t matter whether the company prefers to sell the data to the data subject or whether it would harm its business model if it does so.”
There is only one exception in Article 15 that would give LinkedIn a way out, Baumann told us, and that is the last paragraph, which says that a person’s right to their data cannot infringe on the rights and freedoms of others. If LinkedIn claimed that it had to protect the identity of people who viewed a data subject’s profile, it might have an excuse. But not a good one, in Baumann’s opinion.
“Given that LinkedIn provides information about profile visits to paid Premium members, it cannot consider that the disclosure of this data would infringe the rights of the visitors whose data is disclosed,” explained Noyb’s lawyer. “Otherwise, providing this information to Premium users would also be illegal.”
What seems to be the sticking point here is where the right to access begins and a company’s right to make money from the data it holds (data that was, uh, provided by users) ends. Baumann said he hoped the case would provide legal clarity.
“We are awaiting clarification that personal data accessible when a user pays for it is also covered by their right of access,” he explained.
Think of it like this: LinkedIn has every right under GDPR to take the data it has about its profile visitors, aggregate it, add analytics, and present it in its most useful form to those willing to pay the platform for such a premium service. But a masochistic user who wants to extract a CSV file containing the same data should also have the right to do so – and Article 15 of the GDPR gives them this.
It’s not just about LinkedIn either. Baumann said there are many other cases in which similar legal clarification would be appreciated, citing the example of a bank that does not wish to provide access to account statements in response to a GDPR request, but is happy to hand over similar data for a fee.
“A precedent would be welcome,” Baumann said. ®