Social Network LinkedIn is reported to have agreed to pay $13m to LinkedIn users in the United States of America in order to settle a class action lawsuit (Perkins v LinkedIn) claiming that LinkedIn sent unsolicited emails to users.
The lawsuit claimed that during the period 17 September 2011 to 31 October 2014, LinkedIn Corporation used its “Add Connections” service to grow its member base by inviting existing members of LinkedIn to import contacts from their external email accounts in order to generate automated email invitations to one or more of those contacts inviting them to connect on LinkedIn.
If no response was made to such an invitation request LinkedIn automatically generated two more “chasers”.
The lawsuit alleged that even though LinkedIn members willingly opted-in to the “Add Connection” service, at no time did they consent impliedly or expressly to their contacts receiving further unsolicited “chaser” emails. In the “Add Connections” service not only did the invitation emails openly come from the LinkedIn member to his or her contacts but also included that LinkedIn members’ profile photograph. As a result, the lawsuit stated that “Despite the appearance of the endorsement emails, the users do not compose the message, they do not consent to LinkedIn sending multiple messages on their behalf, and they are not compensated for the use of their name or likeness in the advertising or promotion of LinkedIn.”
Although LinkedIn rejected the claims made in the lawsuit, they have agreed the $13m compensation in order to avoid further issues.
The lessons that can be learned from this settlement are that in relation to personal information or personal data, whilst individuals may impliedly or expressly consent to their personal data being used for purposes in respect of which they have had unambiguous and transparent notice, there is little possibility that they can consent to the use of their information for purposes other than which they originally consented and more importantly, third parties such as the contacts of LinkedIn members as in this case, have a right to object to their information being shared since they have not opportunity to consent at all!
As with Facebook “Likes” and this LinkedIn “Add Connections”, businesses must remember that the data privacy laws of most countries require transparency with data subjects as regards the current and future use of any personal data that may be processed about them (even with their consent) and must not collect and process data without permission – particularly if that personal data is sensitive data and/or is going to be shared with further third parties and/or transferred from one jurisdiction to another in breach of data transfer restrictions.
Whilst class actions are not usual in England and Wales - nor indeed in other EU member states – there would be nothing to stop an individual bringing a similar complaint direct to the relevant data protection authority since the “Add Connection” was all about collecting personal data.
LinkedIn is headquartered in Ireland in respect of its EU operations and is therefore subject to the Irish data protection law and of course recently the Irish Data Protection Commissioner has been very much in the news as a result of the decision from the European Court of Justice in the case of Max Schrems v Facebook.
The decision of the European Court of Justice that Safe Harbor, as a mechanism for transferring personal data from the EU to the US is now invalid, has an impact on many social media companies and indeed on LinkedIn. LinkedIn also relies on Safe Harbor. EU data protection laws apply to any business or individual that processes personal data and is either based in the EU or uses equipment for the purposes of processing personal data in the EU. In respect of many users of LinkedIn, they are processing personal data using the LinkedIn service in their personal or domestic capacity. However, LinkedIn more than most social media services, is aimed at professionals and is used for professional purposes. Arguably, the domestic exemption does not apply to individuals who are using LinkedIn and the question now arises as to whether those individuals are data controllers in their own right in respect of their LinkedIn activities and as such, should consider registration with the relevant data protection authority and more importantly, not be using LinkedIn until such time as LinkedIn provides an alternative solution to “Safe Harbor” for the purposes of data being shared across its entire network, including the US.
The ubiquitous nature of communications and communication devices is such that the division between work and home or business and personal life is blurred. That blurring also distorts the liabilities and responsibilities of business professionals who use social media accounts in their own names for both personal as well as business purposes.
It will be interesting to see how the regulators focus on these issues, both in the US as well as in Europe.