Can data from public LinkedIn profiles be collected and used for business purposes?

It is unclear, but a long legal battle has resulted in some positions being upheld in the US courts.

What is the problem?

A recent court ruling concerns a long-running dispute between analytics company hiQ Labs and LinkedIn. LinkedIn claims that hiQ has breached LinkedIn’s terms of use and the US Computer Fraud and Abuse Act. At the same time, hiQ argues that publicly available information can be collected and used.

It is necessary to note some of the premises and facts relevant to both disputing parties.

  • LinkedIn is not the owner of the personal data of users added to the platform. The owner is the user.
  • The terms of use of the LinkedIn platform prohibit the creation of false identities and fake accounts on the platform, as well as the use of software, devices, scripts, robots, or any other means to harvest (data scraping) and copy profile data and the further use of the data harvested.
  • For years, hiQ has used software solutions to harvest data from LinkedIn public profiles.
  • hiQ has consistently attempted to avoid LinkedIn’s technical safeguards, attempted to redesign the platform’s information systems, and disguised its activities through the appearance of human behaviour.
  • LinkedIn has recently won a similar lawsuit against Mantheos, a Singapore company. 

Court’s position

To date, a US court has found that hiQ’s conduct violates LinkedIn’s terms of use and that hiQ has violated these terms for years. It also indicates that LinkedIn has grounds to move forward with the case on whether hiQ’s conduct violates the US Computer Fraud and Abuse Act (CFAA). 

As regards the possible violation of the CFAA, the question of whether the automatic harvesting of publicly available personal data by software can be interpreted as access without authorisation is still in dispute. The court has so far held that this is not the case and has granted hiQ the right to do so. However, LinkedIn is now moving forward with challenging this.

Also noteworthy in this case is the debate about the general position of users, platforms, and public data harvesters and the presumptions of data privacy. The court noted that LinkedIn users could choose not to publicly share their profile and any changes to it. An example is when an employee does not want their current employer to know that the employee is looking for a new job.

The court also pointed out that users who publicly share their profile information are unlikely to expect privacy. LinkedIn’s privacy policy also confirms this. The court said that when an employee wants to avoid the employer receiving notifications that the employee has started looking for a job, the employee can make their account private and remove the employer from their contacts.

The court noted that LinkedIn’s arguments regarding the protection of user privacy are invalid since, for example, LinkedIn’s Recruiter service allows a client, as a recruiter, to mark, monitor, and receive notifications of profiles of users who have been added to a list by the recruiter, as well as a full export of that data. If LinkedIn didn’t want to do this, it could remove the ability to access public profiles. Still, in this case, it only wants to remove the ability to process data from competing companies.

Finally, the court considers that giving companies such as LinkedIn complete discretion to decide who has the right to collect and use the data that LinkedIn does not own but which it collects and uses and has made publicly accessible risks creating information monopolies and does not serve the public interest.

What happens next?

HiQ Labs has breached the terms of use of the LinkedIn service with its actions. What is also clear is that for a company like hiQ, access to LinkedIn data is vital, while LinkedIn has no interest in such disruptive business models. 

It is still unclear whether hiQ’s activities also break the law simultaneously, but LinkedIn has expressed the desire to find out.

We will need to wait for further developments in this dispute and probably new cases shortly, which may give confidence to certain business models or make them illegal.

Should you have any further questions, please contact our Specialist Data Privacy Counsel, Andres Ojaver.

Can data from publicly available LinkedIn profiles be utilised for business purposes?

As of yet, this is unclear within legal limits. However, it is important to note that LinkedIn does not own the personal data of users added to the platform. The owner remains the user.

Is prospecting through LinkedIn a breach of GDPR?

Prospecting through LinkedIn is not a breach of GDPR as long as you are in line with the GDPR and LinkedIn’s Privacy Policy.

« Back to articles
Hedman

Our memberships:
FinanceEstonia,
Estonian Service Industry Association,
Estonian Chamber of Commerce and Industry,
EstVCA, EstBan, FECC,
IBA & IBA European regional Forum