TOPICS: Data Scraping, Public Data, Data Protection, Social Media, LinkedIn, hiQ, CFAA, California, US
The US Court of Appeal for the Ninth Circuit has issued a long awaited opinion upholding a previous decision from the District Court, forbidding LinkedIn from denying hiQ access to its public professional social networks.
hiQ is a data analytics company which, through the use of automated bots, scrapes information about users from their public LinkedIn profiles, in order to provide employers with analytics.
In May 2017, LinkedIn sent hiQ a cease-and-desist letter asserting that hiQ was in violation of LinkedIn's terms of service, demanding it to stop accessing and copying LinkedIn data. The letter stated that such access amounts to a violation of the Computer Fraud and Abuse Act ("CFAA"), a law enacted in 1986 that makes it a crime to access a computer
As reported in our previous newsletter, hiQ filed a suit seeking injunctive relief in order to prevent LinkedIn from barring its access, claiming that LinkedIn could not lawfully invoke the CFAA against its scrapping practices. The District Court granted hiQ's motion and ordered LinkedIn to withdraw its cease-and-desist letter and to remove any technical barriers preventing hiQ's access.
The main question raised by LinkedIn in the appeal was whether hiQ's scraping of public data from LinkedIn's platform, after receiving LinkedIn's cease-and-desist letter, is to be considered as accessing data "without authorization" and thus being in violation of the CFAA.
The Ninth Circuit Court, in examining the wording and legislative history of the statute, ruled that the CFAA was enacted to prevent intentional intrusion into someone else's computer, and more specifically computer hacking. Hence, the Court concluded that access "without authorization" refers to circumstances in which access is not generally available and permission is required for access. Where data is public and access is open to the public, such as applied is for LinkedIn users' public profiles, the "without authorization" concept is not in violation.
The court distinguished between the LinkedIn case and its previous precedent in the case of Power Ventures v. Facebook, in which the court held that Power Ventures, a social media aggregation site, had violated the CFAA by accessing Facebook's computers "without authorization" after receiving a cease-and-desist letter. The court emphasized that, while Power Ventures was gathering user data protected by Facebook's access page, hiQ was scraping only public data that was available to the public.
When considering the public interest and balance of equities involved in denying or granting the preliminary injunction, the Court expressed its concern that allowing large internet platforms like LinkedIn to restrict the access and collection of data available in their platforms might lead to the creation of information monopolies.
Despite the Ninth Circuit Court's scraping-positive ruling, the future of data scraping is still the subject of fierce debate. Earlier this year, we reported on Poland's Data Protection Authority first fine under the GDPR, penalizing a digital marketing company, Bisnode, for scraping public data of individuals and reusing it commercially without notifying them.
We will be happy to provide further advice on scraping of publicly-available personal data and best practices.
This update was published as part of our Technology & Regulation monthly client update. To read more about HFN's Technology & Regulation Department, click here.