LinkedIn profile visitor lists belong to the people, says Noyb
LinkedIn profile visitor lists belong to the people, says Noyb
LinkedIn 个人资料访客列表属于用户,Noyb 组织如是说
A LinkedIn feature the average non-paying user likely only glances past could end up setting a legal precedent in the EU regarding how companies treat customer data that they’ve processed. LinkedIn 的一项功能,普通非付费用户可能只是匆匆扫过,但它最终可能会在欧盟开创一个法律先例,涉及公司应如何处理其已处理的客户数据。
Take a look at your LinkedIn profile, if you have one, and you’ll see a space where you can look at profile viewers. For premium LinkedIn users, the list of people who visit one’s profile goes back 365 days and includes names, job title and employer, and an easy link to the person’s profile, unless they’ve toggled their visibility off for privacy reasons. 看看你的 LinkedIn 个人资料(如果你有的话),你会看到一个可以查看个人资料访客的区域。对于 LinkedIn 高级会员,查看个人资料的访客列表可以追溯到 365 天前,其中包括姓名、职位、雇主以及指向该人个人资料的便捷链接,除非他们出于隐私原因关闭了可见性。
Non-premium LinkedIn users, on the other hand, don’t get nearly the same level of visibility on their profiles. If you don’t fork over cash to LinkedIn owner Microsoft each month for the privilege, you’ll just see things like “12 people found you though the homepage,” or that someone with a certain job title from a certain company was scoping out your LinkedIn page. 另一方面,非高级 LinkedIn 用户在个人资料上的可见度远没有那么高。如果你不每月向 LinkedIn 的所有者微软支付费用来获取这项特权,你只会看到诸如“有 12 人通过主页找到了你”,或者“某家公司的某位职位人士查看了你的 LinkedIn 页面”之类的信息。
One unnamed LinkedIn user refused to accept this lesser status, and approached Microsoft to exercise their GDPR Article 15 right to a copy of their personal data processed by LinkedIn. “Processed” can mean a variety of things, including something as broad as simply hosting a particular type of information. LinkedIn rejected the request on the grounds that protecting that data took precedence. 一位未透露姓名的 LinkedIn 用户拒绝接受这种低人一等的待遇,并联系微软行使《通用数据保护条例》(GDPR)第 15 条赋予的权利,要求获取一份由 LinkedIn 处理的个人数据副本。“处理”一词可以有多种含义,包括像简单地托管特定类型信息这样宽泛的行为。LinkedIn 以保护该数据具有优先权为由拒绝了这一请求。
Now the data protection warriors at EU privacy outfit Noyb (“none of your business”) are getting involved. “Selling data to its own users is a popular practice among companies,” Noyb data protection lawyer Martin Baumann said of the case. “In reality, however, people have the right to receive their own data free of charge.” 现在,欧盟隐私组织 Noyb(意为“不关你的事”)的数据保护斗士们介入了此事。Noyb 的数据保护律师马丁·鲍曼(Martin Baumann)在谈到此案时表示:“向用户出售数据是公司间的普遍做法。然而,现实情况是,人们有权免费获取自己的数据。”
Take a look at the language of Article 15, and it’s pretty clear: data subjects (i.e., users) have the right to a copy of any and all data concerning them that’s been processed by the provider. A full list of profile visitors seemingly should fall under Article 15 data – even if it’s normally reserved for paying users and presented to them in a nicer way, it should still be accessible to free users who actually request it. 看看第 15 条的措辞,非常明确:数据主体(即用户)有权获得由提供商处理的任何及所有关于他们的数据副本。完整的个人资料访客列表似乎应该属于第 15 条规定的数据范畴——即使它通常只提供给付费用户并以更友好的方式呈现,但对于确实提出请求的免费用户来说,它也应该是可获取的。
LinkedIn didn’t appear to believe that it was doing anything wrong at all. In a clear denial of facts that are obviously apparent to any non-paying LinkedIn user, including the writer and both editors who worked on this story, a LinkedIn spokesperson told us, “Not only is it incorrect that only Premium members can see who has viewed their profile, but we also satisfy GDPR Article 15 by disclosing the information at issue via our Privacy Policy.” LinkedIn 似乎并不认为自己有任何不妥。LinkedIn 的一位发言人向我们表示:“只有高级会员才能看到谁查看了他们的个人资料,这种说法不仅是不正确的,而且我们还通过隐私政策披露了相关信息,从而满足了 GDPR 第 15 条的要求。”这一说法显然否认了任何非付费 LinkedIn 用户(包括本文作者和参与报道的两位编辑)显而易见的事实。
The first part of that statement is false, as you can see from the screenshot above. Given the obvious untrustworthiness of that half of the statement, we didn’t bother wasting any time trying to evaluate the second part. 该声明的第一部分是虚假的,正如你从上面的截图中看到的那样。鉴于该声明的前半部分明显不可信,我们没有浪费时间去评估后半部分。
Noyb acknowledges there’s a clear bit of legal fuzziness stuck in this corner of the GDPR when it comes to premium service offerings. “If any business processes a person’s personal data, this information is generally covered by their right of access under the GDPR,” Baumann told The Register. “It does not matter that the business would prefer to sell the data to the data subject or that it would be harmful for their business model if they would.” Noyb 承认,在涉及高级服务产品时,GDPR 的这一领域确实存在明显的法律模糊地带。鲍曼告诉《The Register》:“如果任何企业处理了某人的个人数据,这些信息通常都属于 GDPR 规定的访问权范畴。企业是否更愿意将数据卖给数据主体,或者这样做是否会损害其商业模式,这并不重要。”
There’s only one exception in Article 15 that would give LinkedIn an out, Baumann told us, and that’s the last paragraph, which says a person’s right to their data can’t adversely affect the rights and freedoms of others. Were LinkedIn to argue that it had to protect the identities of people who visited a data subject’s profile, they could have an excuse. But not a good one, in Baumann’s opinion. 鲍曼告诉我们,第 15 条中只有一个例外情况能让 LinkedIn 找到借口,那就是最后一段,该段规定个人获取其数据的权利不得对其他人的权利和自由产生不利影响。如果 LinkedIn 辩称它必须保护访问数据主体个人资料的人的身份,他们可能会有一个借口。但在鲍曼看来,这并不是一个站得住脚的理由。
“Since LinkedIn does provide information about profile visits to paying Premium members, it cannot consider that disclosing the data would adversely affect the rights of the visitors whose data is disclosed,” the Noyb lawyer explained. “Otherwise, providing this information to Premium users would be unlawful too.” “既然 LinkedIn 确实向付费高级会员提供了个人资料访问信息,那么它就不能认为披露这些数据会对其数据被披露的访客的权利产生不利影响,”这位 Noyb 律师解释道。“否则,向高级用户提供这些信息也是违法的。”
What seems to be the sticking point here is where right of access begins and a company’s right to make money off data they hold (data that was, ahem, supplied by users) ends. Baumann said he hopes this case can clear the legal air. 这里的症结似乎在于:访问权的起点在哪里,而公司利用其持有的数据(咳咳,这些数据是由用户提供的)赚钱的权利的终点又在哪里。鲍曼表示,他希望此案能澄清法律上的疑虑。
“We expect a clarification concerning the fact that personal data that can be accessed when a user pays for it is also covered by their right of access,” he explained. “我们期待得到澄清,即用户付费后可以访问的个人数据,同样也属于其访问权的范畴,”他解释道。
Think of it like this: LinkedIn has every right under the GDPR to take data it has about profile visitors, package it up, add analytics, and present it in its most useful form to those willing to pay the platform for such a premium service. But a masochistic user who wants to rawdog a CSV file of the same data should have the right to do that, too - and GDPR Article 15 gives it to them. 可以这样理解:根据 GDPR,LinkedIn 完全有权获取其拥有的关于个人资料访客的数据,进行打包、添加分析,并以最实用的形式呈现给那些愿意为这种高级服务付费的用户。但是,如果一个“受虐狂”用户想要直接获取一份包含相同数据的 CSV 文件,他们也应该有权这样做——而 GDPR 第 15 条赋予了他们这项权利。
It’s not just LinkedIn, either. Baumann said there are numerous other cases where similar legal clarification would be appreciated, citing the example of a bank that is unwilling to provide access to account statements in response to a GDPR request, but is happy to hand over similar data for a fee. “A precedent would be welcomed,” Baumann said. 不仅仅是 LinkedIn。鲍曼表示,还有许多其他案例也需要类似的法律澄清,他举了一个例子:一家银行不愿在响应 GDPR 请求时提供账户对账单,但却乐意收费提供类似数据。“我们欢迎一个先例的出现,”鲍曼说。