News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Bar Section | LinkedIn v. HiQ and the trans-Atlantic privacy divide Related reading: Van Buren: The implications of what is left unsaid

rss_feed

""

In a resounding victory for companies whose business model depends on web scraping, the U.S. Ninth Circuit Court of Appeals held this week that such activity does not violate the U.S. Computer Fraud and Abuse Act. The decision, which allows hiQ, a “people analytics” company, to continue scraping publicly available profile information from LinkedIn for its own business purposes, crystalizes the deep divide around the notion of privacy and data protection between Europe and the U.S. It also brings into sharp relief the fault lines between privacy and competition policy, particularly in the context of major tech platforms and the data ecosystems they nurture.

The case, hiQ Labs vs. LinkedIn Corporation, was put in motion when in May 2017, LinkedIn sent hiQ a cease-and-desist letter, asserting that hiQ was violating LinkedIn’s terms of use and demanding that it stop accessing and copying data from LinkedIn’s servers.

The decision primarily turned around the court’s interpretation of the CFAA, an anti-hacking law with criminal sanctions that companies have repeatedly invoked to enforce their terms of use.

In a nutshell, LinkedIn argued that scraping data violated its terms of use and therefore constituted “unauthorized access” to its servers under CFAA. HiQ countered, and the court agreed, that there can be no “unauthorized access” where authorization for access isn’t required in the first place. According to the court, the CFAA concept of access “without authorization” is akin to “breaking and entering,” yet one cannot break and enter into a space that is open to the public. The court viewed the Supreme Court’s ruling in Van Buren v. United States, which held a policeman didn’t violate CFAA by running an unauthorized license plate search in a police database, as supportive of its decision.

Think about it this way: If a garden is surrounded by a fence with a gate and the gate is closed, anyone climbing over the fence is breaking and entering. But a garden owner cannot accuse someone of breaking and entering if there is no fence. A possible counterargument is that while there’s no fence, there’s a “sign” — LinkedIn’s terms of use — which says that access to the garden is permitted only for personal recreation but not for running a business.

In this case, in addition to that “sign” LinkedIn handed the “visitor” a personal note — the cease-and-desist — warning they’re not welcome on the property. But the court rejected such an argument, at least insofar as the encroachment is regarded as a violation of the criminally enforced CFAA. 

The court distinguished between access to publicly available profile information on LinkedIn, which cannot be “unauthorized,” and access to information on Facebook, which is restricted to users who sign-in to the platform with their username and password. Circumventing such password restrictions to scrape data could be a violation of CFAA (Facebook v. Power Ventures).

Moreover, scrapers aren’t entirely out of the woods yet. As the court stated, “even if the CFAA does not apply: state law trespass to chattels claims may still be available. And other causes of action, such as copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, or breach of privacy, may also lie.”

Be that as it may, the threat of a criminal penalty that hovered over scrapers for violating terms of use now seems remote.

To a European bystander, the result of the decision may seem odd. How could hiQ possibly be allowed to scrape individuals’ personal data and use it for “people analytics”? What is the legal basis for this? Of course, even if the information is publicly available, individuals have not consented to such a use; and they do not have a contract with hiQ.

Cross GDPR Articles 6(1)(a) and (b) from the list.

Could hiQ rely on its “legitimate interest” under Article 6(1)(f)? To scrape individuals’ data without their knowledge or consent and in violation of the platform’s terms of use? Surely not. And while hiQ may argue that users “manifestly made public” the information by posting it on LinkedIn, therefore satisfying a condition to processing even sensitive data under the stricter Article 9(2)(e), the conventional interpretation is that a controller needs an Article 6 hook for data processing in addition to one under Article 9. 

Herein lies the trans-Atlantic divide on privacy and data protection.

In Europe, a company needs a legal basis, that is, positive permission, to process data. You are allowed to do only what the law explicitly sanctions. Whereas in the U.S., the opposite is true. A company — anyone really — is allowed to do anything with data, as long as the law doesn’t prohibit it. And indeed, the hiQ court held that the law, or at least CFAA, doesn’t prohibit access to an area that is open to the public. The differences in views around privacy are particularly stark in connection with publicly available information, since in the U.S. any limitation of collection and use of such data also triggers First Amendment concerns.

The privacy implications of the decision were not lost on the Ninth Circuit. To LinkedIn’s argument that hiQ should be enjoined from accessing data to protect users’ privacy, the court replied that such privacy interests are outweighed by hiQ’s right to conduct business. The court stated that “there is little evidence that LinkedIn users who choose to make their profiles public actually maintain an expectation of privacy with respect to the information that they post publicly, and it is doubtful that they do.”

More saliently, the court questioned the bona fides of LinkedIn’s argument, given that LinkedIn itself offered to recruiters similar analytics services to those of hiQ. To that effect, the court quoted a CBS interview with LinkedIn CEO Jeff Weiner, who expressed the platform’s intent to “leverage all this extraordinary data we’ve been able to collect by virtue of having 500 million people join the site.”

The court’s reasoning resonates at a time when companies position privacy as an argument in competitive maneuvers against market rivals. Critics have claimed that EU regulators’ single-minded mission and focus on data protection misses the forest for the trees. For example, by decimating the online adtech ecosystem, privacy policymakers may be dealing large platforms a lucrative prize.

It’s worth quoting the court on this issue:

format_quote“HiQ points out that data scraping is a common method of gathering information, used by search engines, academic researchers, and many others. According to hiQ, letting established entities that already have accumulated large user data sets decide who can scrape that data from otherwise public websites gives those entities outsized control over how such data may be put to use.”

And later:

format_quote“We agree with the district court that giving companies like LinkedIn free rein to decide, on any basis, who can collect and use data—data that the companies do not own, that they otherwise make publicly available to viewers, and that the companies themselves collect and use—risks the possible creation of information monopolies that would disserve the public interest.”

These strong words demonstrate how, in the U.S., courts adjudicate cases across a plurality of arguments, fields of law and policy considerations. While privacy policy may point one way, competition points another, and criminal law in yet another direction. Regardless of whether one agrees with the outcome of this specific case, it seems that a synthesis of all of these factors, privacy, publicly available information, competition, speech and freedom to run a business — yields results that are more grounded than decisions based on just one line of reasoning.  

Photo by Veronica Reverse on Unsplash

Author
Headshot Omer Tene IAPP Member Contributor
Tags
Europe
U.S.
Big Data
Privacy Law
Privacy Opinion
Social Networking
6 Comments

If you want to comment on this post, you need to login.

  • comment Aristides Tranquillini Neto • Apr 22, 2022 
    I don't think I agree with the U.S. decision. The decision may have been limited to analyze CFAA, but not just because the data is made public by LinkedIn that means HiQ can use that data in blatant violation of LinkedIn's terms of use. As the text said, the users have a contract with LinkedIn, not HiQ, so LinkedIn has to adopt measures to prohibit such activities.
Moreover, I agree that LinkedIn has "monopoly" over this database, since LinkedIn took its time to build a social network and platform, and the users who provide their data to LinkedIn do so willingly, and can take it out at any time, which does not happen to HiQ.
Important to note that HiQ could reach an agreement with LinkedIn to use this data, which is of course paid and has severe rules and regulations, but HiQ prefers to not do that.
  • comment Timothy Thatcher • Apr 22, 2022 
    Agree with the decision. It's pretty simple really - data in question is deemed public (by virtue of user classification) therefore, there is no privacy issue.
  • comment Jesse Nord • Apr 25, 2022 
    The decision by the court is truly baffling to me. As a LinkedIn user I have read and agreed to the Terms of Service presented by LinkedIn. The information I share as a user is because of this understanding. If some random company comes in and is able to obtain this information without my knowledge or consent I have lost control of this information and have no knowledge or recourse. This case has set a dangerous precedent regarding the handling of personal information and unintended use.
  • comment Reinhard Huebelbauer • Apr 27, 2022 
    From a GDPR point of view the purpose of processing personal data must always be taken into account. In this context personal data that might have been made public as per article 9 (2) e GDPR may be only used in line with the purpose they have been published for. The purpose is definetly not providing personal data to any whatsoever company for analysing, profiling and selling. (this would in my opinion also raise the question on whether data subjects would be entitled to a fair monetary share of the revenues generated such unintended commercial use of personal data) 
Based on the approach that requires an "article-6-hook", data scraping without informing data subjects and depriving them of control over their data cannot be based on legitimate interest as per article 6 (1) f GDPR. 
However, it may look different if HiQ actually fulfilled the information duty under article 14 GDPR, which would enable data subjects to object to the processing of their data. (question of effective enforcement would remain open...)
As concerns the "monopoly" it seems that this could be solved considering "FRAND" critera in line with applicable copyright laws.
  • comment Nurani Ramachandran Srinivasan • Apr 30, 2022 
    Very well articulated piece bringing out the sharp differences in the approach adopted by the US and EU. The reasoning given in this ruling is certainly logical and compelling. The moot question however remains- do individuals who put their personal data in public (professional) forums no longer control its further use or that they cease to have the right to be informed of use for different purposes? Besides carve-outs for journalistic, academic, or literary purposes, satisfying the balancing test for legitimate interests should remain central to this. We can expect to hear more on this in due course.
  • comment Patrick Chagoury • May 10, 2022 
    While I don't 100% agree with the decision; the details are important. Scraping can take many forms (authenticated vs. unauthenticated) and web scrapes. In this case, what's the difference between Google 'scraping' for indexing purposes vs. HIQ's use of the 'scrape'. Perhaps the issue is use case related. In addition, it would be interesting to understand the controls LinkedIn has put in place prevent scraping their data. I wonder if at any point in time, this was considered.
Related Stories
Van Buren: The implications of what is left unsaid
On June 3, 2021, the U.S. Supreme Court released its opinion on the case Van Buren v. United States. The opinion provides clarification regarding how the Supreme Court interprets the 1986 Computer Fraud and Abuse Act, particularly the “exceeds authorized access” language in Section 1030(a)(2). Altho...
Read More queue Save This
The problem with data scraping
For many in the privacy profession, 2018 is arguably the year of the EU General Data Protection Regulation. However, thanks in part to the Facebook-Cambridge Analytica data sharing opprobrium, there has been renewed interested in domestic U.S. privacy law by the general public. While the impact of t...
Read More queue Save This
Related Stories
Tags
Europe
U.S.
Big Data
Privacy Law
Privacy Opinion
Social Networking
Recent Comments