LinkedIn Profile Visitor Lists Belong to the People, Says Noyb (theregister.com) 14
A LinkedIn user in the EU is challenging Microsoft's refusal to provide a full list of profile visitors under GDPR Article 15, arguing that the data should be available for free because LinkedIn processes it and sells a more complete version to Premium users. Privacy group Noyb says the case could set a broader precedent over whether companies can monetize user-related data while denying access to the same data through GDPR requests. "Selling data to its own users is a popular practice among companies," Noyb data protection lawyer Martin Baumann said of the case. "In reality, however, people have the right to receive their own data free of charge." The Register reports: Take a look at the language of Article 15, and it's pretty clear: data subjects (i.e., users) have the right to a copy of any and all data concerning them that's been processed by the provider. A full list of profile visitors seemingly should fall under Article 15 data -- even if it's normally reserved for paying users and presented to them in a nicer way, it should still be accessible to free users who actually request it. [...] Noyb acknowledges there's a clear bit of legal fuzz stuck in this corner of the GDPR when it comes to premium service offerings. "If any business processes a person's personal data, this information is generally covered by their right of access under the GDPR," Baumann told The Register. "It does not matter that the business would prefer to sell the data to the data subject or that it would be harmful for their business model if they would."
There's only one exception in Article 15 that would give LinkedIn an out, Baumann told us, and that's the last paragraph, which says a person's right to their data can't adversely affect the rights and freedoms of others. Were LinkedIn to argue that it had to protect the identities of people who visited a data subject's profile, they could have an excuse. But not a good one, in Baumann's opinion. "Since LinkedIn does provide information about profile visits to paying Premium members, it cannot consider that disclosing the data would adversely affect the rights of the visitors whose data is disclosed," the Noyb lawyer explained. "Otherwise, providing this information to Premium users would be unlawful too."
What seems to be the sticking point here is where right of access begins and a company's right to make money off data they hold (data that was, ahem, supplied by users) ends. Baumann said he hopes this case can clear the legal air. "We expect a clarification concerning the fact that personal data that can be accessed when a user pays for it is also covered by their right of access," he explained. [...] Baumann said there are numerous other cases where similar legal clarification would be appreciated, citing the example of a bank that is unwilling to provide access to account statements in response to a GDPR request, but is happy to hand over similar data for a fee. "A precedent would be welcomed," Baumann said. A LinkedIn spokesperson told The Register: "Not only is it incorrect that only Premium members can see who has viewed their profile, but we also satisfy GDPR Article 15 by disclosing the information at issue via our Privacy Policy."
There's only one exception in Article 15 that would give LinkedIn an out, Baumann told us, and that's the last paragraph, which says a person's right to their data can't adversely affect the rights and freedoms of others. Were LinkedIn to argue that it had to protect the identities of people who visited a data subject's profile, they could have an excuse. But not a good one, in Baumann's opinion. "Since LinkedIn does provide information about profile visits to paying Premium members, it cannot consider that disclosing the data would adversely affect the rights of the visitors whose data is disclosed," the Noyb lawyer explained. "Otherwise, providing this information to Premium users would be unlawful too."
What seems to be the sticking point here is where right of access begins and a company's right to make money off data they hold (data that was, ahem, supplied by users) ends. Baumann said he hopes this case can clear the legal air. "We expect a clarification concerning the fact that personal data that can be accessed when a user pays for it is also covered by their right of access," he explained. [...] Baumann said there are numerous other cases where similar legal clarification would be appreciated, citing the example of a bank that is unwilling to provide access to account statements in response to a GDPR request, but is happy to hand over similar data for a fee. "A precedent would be welcomed," Baumann said. A LinkedIn spokesperson told The Register: "Not only is it incorrect that only Premium members can see who has viewed their profile, but we also satisfy GDPR Article 15 by disclosing the information at issue via our Privacy Policy."
have your cake and eat it too (Score:2)
I guess that lawyer analysis of the GDPR is that linkedIn cannot both withhold the information behind a paywall and claim privacy issues for releasing it for free at the same time. I would agree with that.
I remember interviewing at LinkedIn years ago, before GDPR, and they gave me a printout of my connections tree. That was kinda cool and I still have it somewhere in my home office. AFAIK they do not do this anymore as it could be legally challenged under GDPR and possibly the similar California laws.
Person
Re: (Score:2)
Pretty silly attempt to be silly (Score:2)
Who visited your profile on a web site is not YOUR data, but data of the operator of the web site.
YOUR data is data you provided to the web site. That is all. So, with some luck you might have a point if you want to see the history of which profiles you have visited.
Re: (Score:2)
Who visited your profile on a web site is not YOUR data, but data of the operator of the web site.
YOUR data is data you provided to the web site. That is all. So, with some luck you might have a point if you want to see the history of which profiles you have visited.
The data gathered from people who visit my profile wouldn't exist without my profile.
I can accept the processed data belonging to LinkedIn because they've added value. But withholding, or charging for, the unprocessed data strikes me as (roughly) equivalent to the provider of a free email service withholding emails unless you pony up for a paid plan.
Besides, IIRC LinkedIn shows ads. If I'm viewing ads then I AM paying for the time I spend there - so gimme my goddamn visitor data!
Re: (Score:2)
Taking it further, does any individual have a right to request from any site a list of visitors who were shown any information or even mention of you? Would that violate their privacy? Imagine me requesting a list of personal identifications of anyone who posted on this slashdot thread as well as anyone
Re: (Score:2)
Re: (Score:2)
+1. Somebody visiting my profile is information about them (their activity), not about me.
Re: (Score:2)
Except that the key for the data is the user's profile and LinkedIn does compile a report based on that key, which per that lawyer's interpretation is covered by GDPR.
Without the user profile, the compiled data would not exist and since the GDRP has wording covering that, and LinkedIn does compile and sell it, it should be legally released.
I definitely am biased because I personally consider that Microsoft kind of turned LinkedIn into a wannabe Facebook with gazillion notifications, which I had to turn off
Re: (Score:3)
It will depend on the exact legal wording of the GDPR. Such laws do often give the you the right to know who the data collector is sharing your data with. The general principle of such laws is to know what information is being collected about you, how it is being used and who it is being shared with. It is this last principle that Noyb is seeking to enforce.
But whose data is it? (Score:3)
Re: (Score:2)
You are making it harder than it actually is.
Do the landlord record my Personally Identifiable Information? If so, I have the right to know what information they log about me. I also have the right to get that information removed. The PII is mine according to GDPR. I only license the data to the processor for the maximum duration needed for them to provide the service I use (unless there are a "legitimate reason" such as needing to comply with laws and regulations to keep the data on file for a longer p
It makes perfect sense (Score:2)
I can understand that LinkedIn wants to protect their business by not making the information directly available through a single click, but that does not invalidate my rights, nor does my rights invalidate LinkedIn's "reasonable need" to process my dat