The introduction of the General Data Protection Regulation (and the subsequent Data Protection Act 2018 in the UK) (together, the “Data Protection Legislation”) has become an issue at the forefront of any organisation’s mind when considering the manner in which it manages personal data; due to the effort compliance requires and the serious consequences of non-compliance.

One particular issue that organisations will need to overcome is the interplay between the Data Protection Legislation and the ownership of LinkedIn contacts; the latter also being a contentious issue whereby employers have argued that contacts made during the course of employment should form the organisation’s intellectual property and/or its confidential information, whereas employees maintain the position that such contacts should remain under their control.

Although the courts are yet to provide a definitive ruling on the issue, the prevailing view supports the argument that connections generated during the course of employment constitute the employer’s confidential information (Whitmar Publications Limited v Gamage and others (2013)). Furthermore, a Birmingham based recruitment agency successfully obtained injunctions against three ex-employees to prevent them from continuing to use their company LinkedIn accounts after their employment had ceased.

Which principle takes precedence? For example, could an employer, which demands an ex-employee delivers up contacts generated during their employment, fall foul of the Data Protection Legislation? In such instances, a contact may have not given consent for their personal information to be stored and processed by the organisation (i.e. they may not have consented that a person who connected with them on LinkedIn may export their details to an external database). In order to better understand this question, we should review these issues in the light of the Data Protection Legislation as well as LinkedIn’s terms of use.

LinkedIn’s User Agreement (“UA”)

  • Under LinkedIn’s UA, members agree not to transfer any part of their accounts (e.g. connections) as well as comply with all applicable privacy laws (i.e. the Data Protection Legislation). Therefore, upon termination (or even during employment) it would be in breach of LinkedIn’s UA for an employee to transfer a list of connections made during the course of their employment to their employer.
  • Although there is the ability for an employing organisation to control access to any LinkedIn account for which they have paid for on an employee’s behalf, in many organisations this is not usual practice; generally employees will use their personal accounts during employment, of which an employer has no rights to under the UA.

Data Protection Legislation

  • Exporting and collating personal data of individuals without their consent or any legitimate interest to do so is a clear breach of the Data Protection Legislation. Therefore, unless an employee expressly communicates to any business contact that they are linking with them on behalf of their organisation (and as such, requests and receives their consent to the processing of their personal data by transferring their personal details to their employer), the transfer to an employer of its employees’ business contacts details would be an unlawful processing of personal data and therefore a breach of the Data Protection Legislation.

In short, while a contact would still have the opportunity to provide consent (by accepting an organisation’s request and subsequently consenting to it obtaining and processing their personal data) should their profile be public, the issue here is the manner in which their details have been found by an organisation. In most instances, it would be a breach of both the Data Protection Legislation as well as the LinkedIn UA should an organisation mine their contact details unlawfully from any of their existing or exiting employees.

Practical points to consider

Although there are several points to consider with regards to the ability (in a legal sense) for organisations to mine LinkedIn contacts from the employees, there are also several practical points to consider should organisations manage to overcome the hurdles set out above:

  • Employees would have to be clear at the outset when connecting with business contacts on LinkedIn. This would entail the employee receiving express consent from any such business contact which may come across obstructively and in many ways defeats the point of social media networks (which is, of course, to facilitate social interactions).
  • Should business contacts “opt-in” to the processing of their details by the organisation of an employee with whom they have connected, the subsequent follow-up by an organisation after the employee has left may come across as intrusive and overly formal – the risk here being that any relationship cultivated by the original employee could become soured.
  • This process of mining could become cumbersome and very time consuming. Considering that there is no real guarantee that an individual’s LinkedIn contacts manifest into business opportunities for organisations, the time and effort taken in compiling any such ‘databases’ could not really be worth the effort.

Summary

Overall, although it appears as though some organisations are celebrating the current case law supporting employers’ rights over LinkedIn contact details, the implications of the Data Protection Legislation may not yet have been felt; the issue of LinkedIn contact ownership may very well be overshadowed by the data protection rights of the very business contacts that organisations and ex-employees have been fighting over.

The Data Protection Legislation continues to pose difficult questions when it comes to implementing data security measures and this is another example of where privacy issues create grey areas which stand to be tested in practice.