LinkedIn Profile Visitor Lists Belong to the People, Says Noyb (theregister.com) 28
A LinkedIn user in the EU is challenging Microsoft's refusal to provide a full list of profile visitors under GDPR Article 15, arguing that the data should be available for free because LinkedIn processes it and sells a more complete version to Premium users. Privacy group Noyb says the case could set a broader precedent over whether companies can monetize user-related data while denying access to the same data through GDPR requests. "Selling data to its own users is a popular practice among companies," Noyb data protection lawyer Martin Baumann said of the case. "In reality, however, people have the right to receive their own data free of charge." The Register reports: Take a look at the language of Article 15, and it's pretty clear: data subjects (i.e., users) have the right to a copy of any and all data concerning them that's been processed by the provider. A full list of profile visitors seemingly should fall under Article 15 data -- even if it's normally reserved for paying users and presented to them in a nicer way, it should still be accessible to free users who actually request it. [...] Noyb acknowledges there's a clear bit of legal fuzz stuck in this corner of the GDPR when it comes to premium service offerings. "If any business processes a person's personal data, this information is generally covered by their right of access under the GDPR," Baumann told The Register. "It does not matter that the business would prefer to sell the data to the data subject or that it would be harmful for their business model if they would."
There's only one exception in Article 15 that would give LinkedIn an out, Baumann told us, and that's the last paragraph, which says a person's right to their data can't adversely affect the rights and freedoms of others. Were LinkedIn to argue that it had to protect the identities of people who visited a data subject's profile, they could have an excuse. But not a good one, in Baumann's opinion. "Since LinkedIn does provide information about profile visits to paying Premium members, it cannot consider that disclosing the data would adversely affect the rights of the visitors whose data is disclosed," the Noyb lawyer explained. "Otherwise, providing this information to Premium users would be unlawful too."
What seems to be the sticking point here is where right of access begins and a company's right to make money off data they hold (data that was, ahem, supplied by users) ends. Baumann said he hopes this case can clear the legal air. "We expect a clarification concerning the fact that personal data that can be accessed when a user pays for it is also covered by their right of access," he explained. [...] Baumann said there are numerous other cases where similar legal clarification would be appreciated, citing the example of a bank that is unwilling to provide access to account statements in response to a GDPR request, but is happy to hand over similar data for a fee. "A precedent would be welcomed," Baumann said. A LinkedIn spokesperson told The Register: "Not only is it incorrect that only Premium members can see who has viewed their profile, but we also satisfy GDPR Article 15 by disclosing the information at issue via our Privacy Policy."
There's only one exception in Article 15 that would give LinkedIn an out, Baumann told us, and that's the last paragraph, which says a person's right to their data can't adversely affect the rights and freedoms of others. Were LinkedIn to argue that it had to protect the identities of people who visited a data subject's profile, they could have an excuse. But not a good one, in Baumann's opinion. "Since LinkedIn does provide information about profile visits to paying Premium members, it cannot consider that disclosing the data would adversely affect the rights of the visitors whose data is disclosed," the Noyb lawyer explained. "Otherwise, providing this information to Premium users would be unlawful too."
What seems to be the sticking point here is where right of access begins and a company's right to make money off data they hold (data that was, ahem, supplied by users) ends. Baumann said he hopes this case can clear the legal air. "We expect a clarification concerning the fact that personal data that can be accessed when a user pays for it is also covered by their right of access," he explained. [...] Baumann said there are numerous other cases where similar legal clarification would be appreciated, citing the example of a bank that is unwilling to provide access to account statements in response to a GDPR request, but is happy to hand over similar data for a fee. "A precedent would be welcomed," Baumann said. A LinkedIn spokesperson told The Register: "Not only is it incorrect that only Premium members can see who has viewed their profile, but we also satisfy GDPR Article 15 by disclosing the information at issue via our Privacy Policy."
have your cake and eat it too (Score:4, Interesting)
I guess that lawyer analysis of the GDPR is that linkedIn cannot both withhold the information behind a paywall and claim privacy issues for releasing it for free at the same time. I would agree with that.
I remember interviewing at LinkedIn years ago, before GDPR, and they gave me a printout of my connections tree. That was kinda cool and I still have it somewhere in my home office. AFAIK they do not do this anymore as it could be legally challenged under GDPR and possibly the similar California laws.
Personally I'm a little sad of LinkedIn state after Microsoft purchased them. The push for monetization transformed it into a wannabe Facebook and I don't find it as useful as a recruiting tool as it used to be.
Anyway, I'm rooting for the little guy here.
https://www.youtube.com/watch?... [youtube.com]
Re: (Score:1)
Re:have your cake and eat it too (Score:4, Funny)
Honestly the only thing I find LinkedIn interesting , is watching people posting horrifically racist rants and then seeing their employment status flip to unemployed the next day. (Life tip: If you have an opinion you'd be nervous about sharing in a crowded bar, dont go blasting it out on a social media environment your boss uses to speak to investors)
Re: (Score:2)
Only reason I have LI is because I got access prior to public release back in 2003. I got laid off and my manager recommended it.
Pretty silly attempt to be silly (Score:3, Interesting)
Who visited your profile on a web site is not YOUR data, but data of the operator of the web site.
YOUR data is data you provided to the web site. That is all. So, with some luck you might have a point if you want to see the history of which profiles you have visited.
Re: (Score:2)
Who visited your profile on a web site is not YOUR data, but data of the operator of the web site.
YOUR data is data you provided to the web site. That is all. So, with some luck you might have a point if you want to see the history of which profiles you have visited.
The data gathered from people who visit my profile wouldn't exist without my profile.
I can accept the processed data belonging to LinkedIn because they've added value. But withholding, or charging for, the unprocessed data strikes me as (roughly) equivalent to the provider of a free email service withholding emails unless you pony up for a paid plan.
Besides, IIRC LinkedIn shows ads. If I'm viewing ads then I AM paying for the time I spend there - so gimme my goddamn visitor data!
Re: (Score:2)
Taking it further, does any individual have a right to request from any site a list of visitors who were shown any information or even mention of you? Would that violate their privacy? Imagine me requesting a list of personal identifications of anyone who posted on this slashdot thread as well as anyone
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Can you request deletion of the record of said visit as per GDPR?
Without deleting your own profile: likely not.
And he on the other hand, without deleting his profile, unlikely in the same way.
Not really sure what you guys are nitpicking about.
It should be plain obvious which data is YOUR data ... and which is not.
Data that suddenly emerges ABOUT you, is most certainly not your data. If you want it deleted, you have to delete yourself from that platform.
The data protection is about data about yourself, espec
Re: (Score:1)
The point is: it is not your data.
You do not own it.
While the rest of your reasoning is true, you have to convince a court to rule in your favour. ... GDPR etc. gives you no base for that.
Most likely not going to happen in the EU
equivalent to the provider of a free email service withholding emails unless you pony up for a paid plan.
That is nonsense, as the emails you sent and receive: IS YOUR DATA.
Don't play dumb.
Re: (Score:1)
The data gathered from people who visit my profile wouldn't exist without my profile.
But it is not your data.
You did not provide the web site with a asset of people who visited your profile.
The web site figured it itself, hence it is their data.
About what do you want to nitpick?
You plant an apple tree 1 yard away from the fence.
After some years it gets fruits ... the apples hanging over to the other side, and particularly the ones falling down there: are the property of the the owner of the land the apples
Re: (Score:2)
+1. Somebody visiting my profile is information about them (their activity), not about me.
Re: (Score:2)
Except that the key for the data is the user's profile and LinkedIn does compile a report based on that key, which per that lawyer's interpretation is covered by GDPR.
Without the user profile, the compiled data would not exist and since the GDRP has wording covering that, and LinkedIn does compile and sell it, it should be legally released.
I definitely am biased because I personally consider that Microsoft kind of turned LinkedIn into a wannabe Facebook with gazillion notifications, which I had to turn off
Re:Pretty silly attempt to be silly (Score:5, Informative)
It will depend on the exact legal wording of the GDPR. Such laws do often give the you the right to know who the data collector is sharing your data with. The general principle of such laws is to know what information is being collected about you, how it is being used and who it is being shared with. It is this last principle that Noyb is seeking to enforce.
Re: (Score:1)
Such laws do often give the you the right to know who the data collector is sharing your data with.
They are not allowed to share any data with anyone. That is the default.
The general principle of such laws is to know what information is being collected about you, the problem/case (of the guy called Nyob) is not collecting data about me. It is collecting data about the others. The guys visiting my profile.
how it is being used and who it is being shared with. it can not be shared legally with anyone.
Are you
Re: (Score:2)
Are you a retard?
Wow, you had a bad day huh?
But whose data is it? (Score:3)
Re:But whose data is it? (Score:4, Interesting)
You are making it harder than it actually is.
Do the landlord record my Personally Identifiable Information? If so, I have the right to know what information they log about me. I also have the right to get that information removed. The PII is mine according to GDPR. I only license the data to the processor for the maximum duration needed for them to provide the service I use (unless there are a "legitimate reason" such as needing to comply with laws and regulations to keep the data on file for a longer period).
GDPR - just as any other EU regulation - isn't really that difficult to handle. It is grounded in the common sense of putting the consumer's right in the center. I guess that's why ToS geared towards Europeans are generally shorter than the ToS/EULAs written by American companies.
Side-note: I recently compared the EULA/ToS from Nintendo that applies to Europeans with the ones applying to US citizens. It was quite an eye-opener.
Re: (Score:2)
If not, is Google in violation of GDPR, or is a site not obligated to provide EU citizens with a complete list of whoever accessed any content authored by said citizen. A LinkedIn profile is just content authored
Re: (Score:1)
or is a site not obligated to provide EU citizens with a complete list of whoever accessed any content authored by said citizen.
Of course they are not obliged to provide a list of who accessed (your) the data.
That would be a violation of the privacy of the person accessing the data.
They are obliged to tell you WHAT they do with your data ... and that is simple: they do nothing except displaying, what ever you have posted for displaying ...
If you want it deleted, they delete it for you ... and give you a rec
Re: (Score:2)
It makes perfect sense (Score:3)
I can understand that LinkedIn wants to protect their business by not making the information directly available through a single click, but that does not invalidate my rights, nor does my rights invalidate LinkedIn's "reasonable need" to process my data in the way they do.
From the perspective of "privacy of the other part" - if they do not consent to being exposed (but they actually do consent anyway), they probably shouldn't be using LinkedIn or any other social media at all.
I know the notion of freedom of information is new in the US and that US-based companies are having problems adapting to this reality, but for the rest of the industrial world, it has been around for ages; even hundreds of years in some countries.