With all laws and other regulations, personal data and its material value for companies have begun to be understood. Thus, other companies such as hiQ Labs started using publicly available personal data. In this article, we have tried to explain concepts such as data scraping, specific to the case, which is quite technical.
Summary of the Case*
LinkedIn Corp. was founded in 2002 and now has more than 500 million users who post daily about promotions, blog posts, helpful information, and most importantly personal data such as name, contact details, industry, and position in the company.
HiQ Labs, Inc. It was established in 2012 as a company that provides services on issues such as the employee profile of its customers, whether the customer leaves the company or not, and the employee's skills that are suitable for the job or can be improved. HiQ Labs pulled publicly available data from LinkedIn and created insights about customers' employees.
According to the documents presented in the lawsuit, LinkedIn employees attended various events organized by hiQ Labs as guest speakers. In addition, an "Impact Award" was given to a LinkedIn employee at the "Elevate" conference organized by hiQ Labs in 2016. Therefore, the Court concluded that LinkedIn employees had the opportunity to learn about hiQ products.
However, with the understanding of the power of personal data, LinkedIn wanted to use its users' data with other features such as Talent Insights. Therefore, in May 2017, LinkedIn issued a strike to hiQ Labs, arguing that hiQ Labs violated LinkedIn's user agreement and requesting hiQ Labs to stop accessing and copying data from the LinkedIn server. Still, hiQ Labs has filed a lawsuit seeking injunctive relief based on California law and an injunction. The District Court granted hiQ Labs' request, ordering LinkedIn to withdraw its dunning letter and remove any technical barriers preventing hiQ Labs from accessing the data.
The scope of the said dunning letter contained by HiQ Labs allegedly violated the LinkedIn User Agreement and the Computer Fraud and Abuse Act ("CFAA") and the Digital Millennium Copyright Act ("DMCA") and other fraud-related provisions. In this case, the CFAA was the most important for LinkedIn's argument. Still, the Court clarified that the CFAA pertains to protected computers and servers that must be authorized before any data collection.
The case was overturned in the U.S. Supreme Court by the Van Buren v. the United States (2021) decision, which narrowed the application of the provisions in the CFAA. This isn't the most shocking decision the U.S. Supreme Court has made this year, except for LinkedIn and other established companies.
The District Court issued an injunction that analyzed hiQ Labs and LinkedIn's positions and claims, and the Court of Appeal upheld the decision.
What is data scraping?
Users post daily to social media, personal or commercial websites, and many others. As we mentioned before, there are many ways to utilize personal data posted on platforms, called data scraping.
When analyzing whether there is a public interest in granting a preliminary injunction that will result in, as the Court said, "maximizing the free flow of information on the Internet", the Court defined data scraping briefly with the help of the parties' declarations on the case. Data scraping is to gather data that is publicly available and create data sets with all the accumulated information.
HiQ Labs noted that data scraping is a common method of gathering information, used by search engines, academic researchers, and many others. According to hiQ Labs, letting big corporations make the decision on which companies are allowed to scrape data would result in nonproportional power over the industry.
Significance of the Decision
HiQ Labs is not the only company that uses data scraping and analyzes data for commercial use.
The Cambridge Analytica Scandal showed that the GDPR framework prohibits non-disclosed use of personal data and there must be a defense mechanism against misuse of personal data. Ultimately, the Scandal had more to it in regards to using personal data without consent.
EU approach is drastically different from the U.S. on data scraping. In Bisnode decision by Poland Data Protection Authority ("DPA) showed a strong stance on the GDPR. Bisnode scraped data from publicly available records, however, failed to notice people whose personal data Bisnode scraped. Hence, not complying with the GDPR resulted in monetary fines.
Also in the Clearview AI decision, the company is fined £7.5 M by the Information Commissioner's Office ("ICO"). Clearview AI is an AI-focused company that specializes in facial recognition. Because of not complying with the GDPR in regards to not notifying users that they scraped personal data (i.e. social media photos) and fined well over €48 M by the ICO, Greek DPA, and Italy SA.
There are more cases of data scraping and it seems there will be more.
*Source: United States Court of Appeals for the Ninth Circuit, HiQ Labs, Inc. v. LinkedIn Corp., No. 17-16783, 18.04.2022, Opinion by Judge Berzon.
Comments