LinkedIn tracks the visits to profile pages. However, if you want to see who has visited your own profile, you have to pay. The Microsoft subsidiary uses these and other ‘insights’ as an incentive for people to sign up for its paid Premium membership. It is unclear whether this tracking of visitors is legal. What is clear, however, is that if this data is displayed as part of a premium membership, it should also be accessible in response to an access request under Article 15 GDPR. But LinkedIn refuses to comply – and suddenly cites alleged data protection concerns that supposedly only arise in the case of an access request.
Selling data: Yes! Right to access: No? LinkedIn is constantly trying to entice its users into signing up for a paid premium membership. This is primarily promoted through a feature that allows users to view a list of all visitors to their profile over the past 365 days. Many other providers also attempt to use user data to create a premium product. Yet, under EU law, such personal data should actually be accessible free of charge. This presents LinkedIn with a legal dilemma: the data hidden behind a premium membership would also have to be made available as part of a free access request under Article 15 GDPR.
LinkedIn tracks profile visits. The reason is that visitor data, to a certain extent, constitutes shared data between visitors and those whose profiles are visited. Such activity data is often analysed to personalise the content or adverts displayed. Although LinkedIn allows users to opt out of this tracking, it does not ask for active consent (opt-in). It is therefore questionable to what extent the recording of profile visits is legal at all.
Martin Baumann, data protection lawyer at noyb: “Selling data to its own users is a popular practice among companies. In reality, however, people have the right to receive their own data free of charge. It is absurd that companies only seem to recognise the importance of data protection when they want to sell data. For example, when LinkedIn has no problem handing over certain data in exchange for money – but suddenly becomes concerned about the privacy of other users when you exercise your right of access.”
Data protection versus data protection. It is particularly absurd that LinkedIn is using a supposed ‘data protection interest’ as an argument to deny the right of access to data under the GDPR. Either the data must not be accessible to anyone, or – if it is clear to the visitor that the data is visible – it must also be disclosed in accordance with Article 15 GDPR.
Martin Baumann, data protection lawyer at noyb: “The protection of the rights and freedoms of others can definitely be a reason for not disclosing shared personal data. However, if a company has sought the relevant consent and is clearly willing to make the same data available for a fee, this argument no longer holds water.”
GDPR rights as a money-making opportunity? The GDPR sets out various rights to enable users to access and amend their data in the information society. However, companies often continue to charge a fee for this, whether it involves access requests with a creditors’ association or the correction of names on tickets. These fees are often long-established – but illegal.
Complaint filed. noyb has therefore lodged a complaint with the Austrian Data Protection Authority on behalf of a LinkedIn user and is demanding a full response to his access request. Furthermore, noyb is proposing that a fine be imposed to prevent similar breaches in future.
