TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Bar Section | LinkedIn v. HiQ and the trans-Atlantic privacy divide Related reading: Van Buren: The implications of what is left unsaid

rss_feed
GDPR-Ready_300x250-Ad

In a resounding victory for companies whose business model depends on web scraping, the U.S. Ninth Circuit Court of Appeals held this week that such activity does not violate the U.S. Computer Fraud and Abuse Act. The decision, which allows hiQ, a “people analytics” company, to continue scraping publicly available profile information from LinkedIn for its own business purposes, crystalizes the deep divide around the notion of privacy and data protection between Europe and the U.S. It also brings into sharp relief the fault lines between privacy and competition policy, particularly in the context of major tech platforms and the data ecosystems they nurture.

The case, hiQ Labs vs. LinkedIn Corporation, was put in motion when in May 2017, LinkedIn sent hiQ a cease-and-desist letter, asserting that hiQ was violating LinkedIn’s terms of use and demanding that it stop accessing and copying data from LinkedIn’s servers.

The decision primarily turned around the court’s interpretation of the CFAA, an anti-hacking law with criminal sanctions that companies have repeatedly invoked to enforce their terms of use.

In a nutshell, LinkedIn argued that scraping data violated its terms of use and therefore constituted “unauthorized access” to its servers under CFAA. HiQ countered, and the court agreed, that there can be no “unauthorized access” where authorization for access isn’t required in the first place. According to the court, the CFAA concept of access “without authorization” is akin to “breaking and entering,” yet one cannot break and enter into a space that is open to the public. The court viewed the Supreme Court’s ruling in Van Buren v. United States, which held a policeman didn’t violate CFAA by running an unauthorized license plate search in a police database, as supportive of its decision.

Think about it this way: If a garden is surrounded by a fence with a gate and the gate is closed, anyone climbing over the fence is breaking and entering. But a garden owner cannot accuse someone of breaking and entering if there is no fence. A possible counterargument is that while there’s no fence, there’s a “sign” — LinkedIn’s terms of use — which says that access to the garden is permitted only for personal recreation but not for running a business.

In this case, in addition to that “sign” LinkedIn handed the “visitor” a personal note — the cease-and-desist — warning they’re not welcome on the property. But the court rejected such an argument, at least insofar as the encroachment is regarded as a violation of the criminally enforced CFAA. 

The court distinguished between access to publicly available profile information on LinkedIn, which cannot be “unauthorized,” and access to information on Facebook, which is restricted to users who sign-in to the platform with their username and password. Circumventing such password restrictions to scrape data could be a violation of CFAA (Facebook v. Power Ventures).

Moreover, scrapers aren’t entirely out of the woods yet. As the court stated, “even if the CFAA does not apply: state law trespass to chattels claims may still be available. And other causes of action, such as copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, or breach of privacy, may also lie.”

Be that as it may, the threat of a criminal penalty that hovered over scrapers for violating terms of use now seems remote.

To a European bystander, the result of the decision may seem odd. How could hiQ possibly be allowed to scrape individuals’ personal data and use it for “people analytics”? What is the legal basis for this? Of course, even if the information is publicly available, individuals have not consented to such a use; and they do not have a contract with hiQ.

Cross GDPR Articles 6(1)(a) and (b) from the list.

Could hiQ rely on its “legitimate interest” under Article 6(1)(f)? To scrape individuals’ data without their knowledge or consent and in violation of the platform’s terms of use? Surely not. And while hiQ may argue that users “manifestly made public” the information by posting it on LinkedIn, therefore satisfying a condition to processing even sensitive data under the stricter Article 9(2)(e), the conventional interpretation is that a controller needs an Article 6 hook for data processing in addition to one under Article 9. 

Herein lies the trans-Atlantic divide on privacy and data protection.

In Europe, a company needs a legal basis, that is, positive permission, to process data. You are allowed to do only what the law explicitly sanctions. Whereas in the U.S., the opposite is true. A company — anyone really — is allowed to do anything with data, as long as the law doesn’t prohibit it. And indeed, the hiQ court held that the law, or at least CFAA, doesn’t prohibit access to an area that is open to the public. The differences in views around privacy are particularly stark in connection with publicly available information, since in the U.S. any limitation of collection and use of such data also triggers First Amendment concerns.

The privacy implications of the decision were not lost on the Ninth Circuit. To LinkedIn’s argument that hiQ should be enjoined from accessing data to protect users’ privacy, the court replied that such privacy interests are outweighed by hiQ’s right to conduct business. The court stated that “there is little evidence that LinkedIn users who choose to make their profiles public actually maintain an expectation of privacy with respect to the information that they post publicly, and it is doubtful that they do.”

More saliently, the court questioned the bona fides of LinkedIn’s argument, given that LinkedIn itself offered to recruiters similar analytics services to those of hiQ. To that effect, the court quoted a CBS interview with LinkedIn CEO Jeff Weiner, who expressed the platform’s intent to “leverage all this extraordinary data we’ve been able to collect by virtue of having 500 million people join the site.”

The court’s reasoning resonates at a time when companies position privacy as an argument in competitive maneuvers against market rivals. Critics have claimed that EU regulators’ single-minded mission and focus on data protection misses the forest for the trees. For example, by decimating the online adtech ecosystem, privacy policymakers may be dealing large platforms a lucrative prize.

It’s worth quoting the court on this issue:

format_quote“HiQ points out that data scraping is a common method of gathering information, used by search engines, academic researchers, and many others. According to hiQ, letting established entities that already have accumulated large user data sets decide who can scrape that data from otherwise public websites gives those entities outsized control over how such data may be put to use.”

And later:

format_quote“We agree with the district court that giving companies like LinkedIn free rein to decide, on any basis, who can collect and use data—data that the companies do not own, that they otherwise make publicly available to viewers, and that the companies themselves collect and use—risks the possible creation of information monopolies that would disserve the public interest.”

These strong words demonstrate how, in the U.S., courts adjudicate cases across a plurality of arguments, fields of law and policy considerations. While privacy policy may point one way, competition points another, and criminal law in yet another direction. Regardless of whether one agrees with the outcome of this specific case, it seems that a synthesis of all of these factors, privacy, publicly available information, competition, speech and freedom to run a business — yields results that are more grounded than decisions based on just one line of reasoning.  

Photo by Veronica Reverse on Unsplash

6 Comments

If you want to comment on this post, you need to login.

  • comment Aristides Tranquillini Neto • Apr 22, 2022
    I don't think I agree with the U.S. decision. The decision may have been limited to analyze CFAA, but not just because the data is made public by LinkedIn that means HiQ can use that data in blatant violation of LinkedIn's terms of use. As the text said, the users have a contract with LinkedIn, not HiQ, so LinkedIn has to adopt measures to prohibit such activities.
    Moreover, I agree that LinkedIn has "monopoly" over this database, since LinkedIn took its time to build a social network and platform, and the users who provide their data to LinkedIn do so willingly, and can take it out at any time, which does not happen to HiQ.
    Important to note that HiQ could reach an agreement with LinkedIn to use this data, which is of course paid and has severe rules and regulations, but HiQ prefers to not do that.
  • comment Timothy Thatcher • Apr 22, 2022
    Agree with the decision. It's pretty simple really - data in question is deemed public (by virtue of user classification) therefore, there is no privacy issue.
  • comment Jesse Nord • Apr 25, 2022
    The decision by the court is truly baffling to me. As a LinkedIn user I have read and agreed to the Terms of Service presented by LinkedIn. The information I share as a user is because of this understanding. If some random company comes in and is able to obtain this information without my knowledge or consent I have lost control of this information and have no knowledge or recourse. This case has set a dangerous precedent regarding the handling of personal information and unintended use.
  • comment Reinhard Huebelbauer • Apr 27, 2022
    From a GDPR point of view the purpose of processing personal data must always be taken into account. In this context personal data that might have been made public as per article 9 (2) e GDPR may be only used in line with the purpose they have been published for. The purpose is definetly not providing personal data to any whatsoever company for analysing, profiling and selling. (this would in my opinion also raise the question on whether data subjects would be entitled to a fair monetary share of the revenues generated such unintended commercial use of personal data) 
    Based on the approach that requires an "article-6-hook", data scraping without informing data subjects and depriving them of control over their data cannot be based on legitimate interest as per article 6 (1) f GDPR. 
    However, it may look different if HiQ actually fulfilled the information duty under article 14 GDPR, which would enable data subjects to object to the processing of their data. (question of effective enforcement would remain open...)
    As concerns the "monopoly" it seems that this could be solved considering "FRAND" critera in line with applicable copyright laws.
  • comment Nurani Ramachandran Srinivasan • Apr 30, 2022
    Very well articulated piece bringing out the sharp differences in the approach adopted by the US and EU. The reasoning given in this ruling is certainly logical and compelling. The moot question however remains- do individuals who put their personal data in public (professional) forums no longer control its further use or that they cease to have the right to be informed of use for different purposes? Besides carve-outs for journalistic, academic, or literary purposes, satisfying the balancing test for legitimate interests should remain central to this. We can expect to hear more on this in due course.
  • comment Patrick Chagoury • May 10, 2022
    While I don't 100% agree with the decision; the details are important. Scraping can take many forms (authenticated vs. unauthenticated) and web scrapes. In this case, what's the difference between Google 'scraping' for indexing purposes vs. HIQ's use of the 'scrape'. Perhaps the issue is use case related. In addition, it would be interesting to understand the controls LinkedIn has put in place prevent scraping their data. I wonder if at any point in time, this was considered.