LinkedIn profile visitor lists belong to the people, says Noyb

GDPR Article 15 doesn't care if you want to make money by selling users' data back to them A LinkedIn feature the average non-paying user likely only glances past could end up setting a legal precedent in the EU regarding how companies treat customer data that they've processed. Take a look at your LinkedIn profile, if you have one, and you'll see a space where you can look at profile viewers. For premium LinkedIn users, the list of people who visit one's profile goes back 365 days and includes names, job title and employer, and an easy link to the person's profile, unless they've toggled their visibility off for privacy reasons. What a premium LinkedIn user sees when they look at their profile viewers Non-premium LinkedIn users, on the other hand, don't get nearly the same level of visibility on their profiles. If you don't fork over cash to LinkedIn owner Microsoft each month for the privilege, you'll just see things like "12 people found you though the homepage," or that someone with a certain job title from a certain company was scoping out your LinkedIn page. Clicking anything on the free user list redirects you to a LinkedIn premium signup page or search results for employees at one of the aforementioned companies. What you'll see on the profile viewers screen if you don't have a paid-for LinkedIn account One unnamed LinkedIn user refused to accept this lesser status, and approached Microsoft to exercise their GDPR Article 15 right to a copy of their personal data processed by LinkedIn. "Processed" can mean a variety of things, including something as broad as simply hosting a particular type of information. LinkedIn rejected the request on the grounds that protecting that data took precedence. Now the data protection warriors at EU privacy outfit Noyb ("none of your business") are getting involved. "Selling data to its own users is a popular practice among companies," Noyb data protection lawyer Martin Baumann said of the case. "In reality, however, people have the right to receive their own data free of charge." Take a look at the language of Article 15, and it's pretty clear: data subjects (i.e., users) have the right to a copy of any and all data concerning them that's been processed by the provider. A full list of profile visitors seemingly should fall under Article 15 data – even if it's normally reserved for paying users and presented to them in a nicer way, it should still be accessible to free users who actually request it. LinkedIn didn't appear to believe that it was doing anything wrong at all. In a clear denial of facts that are obviously apparent to any non-paying LinkedIn user, including the writer and both editors who worked on this story, a LinkedIn spokesperson told us, "Not only is it incorrect that only Premium members can see who has viewed their profile, but we also satisfy GDPR Article 15 by disclosing the information at issue via our Privacy Policy." The first part of that statement is false, as you can see from the screenshot above. Given the obvious untrustworthiness of that half of the statement, we didn't bother wasting any time trying to evaluate the second part. Noyb acknowledges there's a clear bit of legal fuzz stuck in this corner of the GDPR when it comes to premium service offerings. "If any business processes a person's personal data, this information is generally covered by their right of access under the GDPR," Baumann told The Register. "It does not matter that the business would prefer to sell the data to the data subject or that it would be harmful for their business model if they would." There's only one exception in Article 15 that would give LinkedIn an out, Baumann told us, and that's the last paragraph, which says a person's right to their data can't adversely affect the rights and freedoms of others. Were LinkedIn to argue that it had to protect the identities of people who visited a data subject's profile, they could have an excuse. But not a good one, in Baumann's opinion. "Since LinkedIn does provide information about profile visits to paying Premium members, it cannot consider that disclosing the data would adversely affect the rights of the visitors whose data is disclosed," the Noyb lawyer explained. "Otherwise, providing this information to Premium users would be unlawful too." What seems to be the sticking point here is where right of access begins and a company's right to make money off data they hold (data that was, ahem, supplied by users) ends. Baumann said he hopes this case can clear the legal air. "We expect a clarification concerning the fact that personal data that can be accessed when a user pays for it is also covered by their right of access," he explained. Think of it like this: LinkedIn has every right under the GDPR to take data it has about profile visitors, package it up, add analytics, and present it in its most useful form to those willing to pay the platform for such a premium service. But a masochistic user who

LinkedIn profile visitor lists belong to the people, says Noyb

Key takeaways

More in computer-science