LinkedIn Denies Users’ Right to Data Access, noyb Files Complaint
In a significant challenge to data protection practices, the privacy advocacy organization noyb (None of Your Business) has filed a formal complaint against LinkedIn with the Austrian Data Protection Authority (Datenschutzbehörde, DSB). The action stems from LinkedIn’s refusal to provide users with complete access to their personal data, in violation of the General Data Protection Regulation (GDPR), specifically Article 15, which guarantees the right of access.
The case originated from a data subject access request (DSAR) submitted by an Austrian user to LinkedIn Ireland Unlimited Company, the platform’s European entity. Under GDPR Article 15, individuals have the unequivocal right to obtain confirmation from a controller about whether their personal data is being processed, and if so, to access that data, including details on processing purposes, categories of data, recipients, storage periods, and the existence of automated decision-making processes.
The user requested a full export of their personal data in a structured, commonly used, and machine-readable format. LinkedIn responded with a partial data dump, primarily consisting of the user’s public profile information, connections list, messages, and activity history. Notably absent were critical elements such as behavioral profiles derived from tracking activities, inferred interests used for ad targeting, shadow profiles created from non-user data, and comprehensive logs of data processing operations.
noyb’s investigation revealed that LinkedIn employs extensive tracking mechanisms across its platform and third-party websites via cookies and pixels. These generate detailed user profiles encompassing professional skills, interests, job preferences, and even sensitive inferences like political leanings or health-related topics indirectly derived from interactions. Despite this, LinkedIn’s response omitted these datasets, claiming that certain information—such as algorithmic inferences or aggregated tracking data—does not qualify as “personal data” or is not feasible to extract.
Max Schrems, founder of noyb, criticized this stance, stating that LinkedIn’s position undermines the core intent of GDPR’s right of access. “Users have a fundamental right to know what data platforms hold about them, especially when it influences job opportunities, advertising, and networking,” Schrems emphasized. noyb argues that LinkedIn’s partial disclosure misrepresents the scope of data processing, leaving users in the dark about how their information is monetized and shared with advertisers, partners, and potentially third countries.
The complaint, lodged on behalf of the affected user, accuses LinkedIn of multiple GDPR infringements:
-
Incomplete Data Provision: Failure to supply all personal data, including metadata from tracking pixels, recommendation algorithms, and ad personalization models.
-
Misclassification of Data: Incorrectly categorizing inferred and behavioral data as non-personal, despite it being linked to identifiable individuals.
-
Lack of Processing Transparency: No disclosure of recipients (e.g., advertising partners like Google or Microsoft), data retention periods, or safeguards for international transfers.
-
Technical Barriers: The provided export file was not fully machine-readable, with key sections in proprietary formats or requiring manual parsing, contravening GDPR’s interoperability requirements.
noyb’s analysis of the provided data file highlighted further issues. The archive included over 1,000 JSON files totaling several megabytes, but vast swaths of tracking data—such as over 500 million daily events from LinkedIn’s “Open Graph” integrations—were excluded. Comparative tests with other platforms like Facebook (also under Meta) showed more comprehensive exports, underscoring LinkedIn’s deficiencies.
This is not the first time LinkedIn has faced scrutiny over data practices. Previous noyb actions against Meta platforms have resulted in multimillion-euro fines and mandated improvements in DSAR handling. The organization anticipates similar outcomes here, potentially forcing LinkedIn to overhaul its data access procedures.
The DSB, responsible for overseeing GDPR compliance in Austria, has a track record of rigorous enforcement. Recent decisions against Google and Meta demonstrate its willingness to impose corrective measures, including fines up to 4% of global annual turnover. noyb expects the authority to investigate promptly, given the precedent of systemic violations affecting millions of EU users.
LinkedIn’s practices raise broader implications for professional networking platforms. As users increasingly rely on such services for career advancement, the opacity of underlying data processing erodes trust. Employers and recruiters often access inferred profiles for hiring decisions, amplifying the need for transparency. Without full access, individuals cannot rectify inaccuracies, withdraw consent, or exercise rights like erasure.
noyb urges affected users across the EU to submit their own DSARs to LinkedIn and report deficiencies to national data protection authorities. The organization provides templates and guidance on its website to facilitate this. As the complaint progresses, it could set a landmark precedent, compelling Big Tech to deliver truly comprehensive data portraits.
This development underscores ongoing tensions between innovation and privacy in the digital economy. Platforms must balance user engagement with statutory obligations, ensuring accountability in an era of pervasive surveillance capitalism.
Gnoppix is the leading open-source AI Linux distribution and service provider. Since implementing AI in 2022, it has offered a fast, powerful, secure, and privacy-respecting open-source OS with both local and remote AI capabilities. The local AI operates offline, ensuring no data ever leaves your computer. Based on Debian Linux, Gnoppix is available with numerous privacy- and anonymity-enabled services free of charge.
What are your thoughts on this? I’d love to hear about your own experiences in the comments below.