LinkedIn's privacy slip-up draws legal scrutiny

Changes without user notification may breach European law

LinkedIn might have broken European law by changing privacy settings for its members without proper disclosure, legal experts assert.

The law requires that users explicitly consent to the use of their private data, the Dutch government watchdog College Bescherming Persoonsgegevens (CBP) said in response to questions by WebWereld, a Dutch IDG affiliate. Although the government body is unable to comment about specific cases including the LinkedIn case, a spokesperson for the privacy body said that "In general, we can say that settings for social networking sites by default have to be set to the advantage of the user's privacy. Requiring users to opt out doesn't qualify as consent."

Legal experts polled by Webwereld agree that LinkedIn likely violated the law when it changed the privacy settings for all its users last June. The new setting allows the social network to use the name and photos of its users in so-called social advertising. The move by LinkedIn drew little attention until last week, when users on blogs and Twitter denounced it for violating user privacy.

LinkedIn has defended the change in privacy settings by pointing out that the firm published two blog postings about the new policy. Every user also was presented with a banner ad that informed them about the changes. Responding to questions from WebWereld, the firm sent an e-mail statement referring to the blog postings and banner ads. LinkedIn declined to comment about the potential legal issues of the move.

In addition to potentially breaking Dutch law, the move by LinkedIn might also run afoul of European regulations. The European Data Protection Working Party on July 14 published an opinion stressing the need for explicit consent by the user and clarifying how this consent has to be obtained. LinkedIn has clearly violated the rules set forth in this document, said Milica Antic, a lawyer specializing in intellectual property matters for SOLV, a Dutch law firm.

"The Working Party might be overly strict in how it interprets the law, but it is obvious that LinkedIn has not followed the rules," Antic told Webwereld. LinkedIn has failed to clearly communicate the changes to its users, and failed to get a clear consent. "Personally, I've never seen the banner, and I haven't heard from anybody who has," Antic added.

Arnoud Engelfriet, a legal specialist focused on Iinternet law and privacy issues with ICTRecht, questions if a banner qualifies as consent. He argues that LinkedIn should have presented its users with a pop-up window that forces the user to either opt in or opt out before they can continue navigating the website. "I seriously question if LinkedIn has acted within the law," Engelfriet said.

Both Engelfriet and Antic called upon CPB to launch a formal investigation into the matter. "CPB has previously been very strict towards Google and could chose to investigate this matter as well," said Engelfriet in a reference to a case where Google illegally collected data from Wi-Fi networks.

A spokesperson for CPB couldn't say it if would launch an investigation into LinkedIn's privacy changes. As a policy, the privacy watchdog doesn't comment about cases that it might have under investigation.

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicesregulationsecurityLinkedInsocial networkinggovernmentinternetprivacy

More about CPBGoogleIDGIT Professionals

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by René Schoemaker

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts