Support Centre

International: Regulators investigate alleged scraping and sale of personal data from LinkedIn

LinkedIn Corporation issued, on 8 April 2021, a statement on recent reports of the scraping and sale of personal data from the LinkedIn platform. In particular, the statement highlights that LinkedIn has investigated the alleged set of LinkedIn data that had been posted for sale and determined that this is not a LinkedIn data breach, but rather an aggregation of data from a number of websites and companies, including publicly viewable member profile data only, and not private member account data from LinkedIn.

You can read the statement here.

In light of the above, a number of regulators have issued statements addressing the ongoing incident.

Italy

The Italian data protection authority ('Garante') announced, on 8 April 2021, that it had launched an investigation into LinkedIn concerning the dissemination of user data, including IDs, full names, email addresses, telephone numbers, professional titles, work information, and connections to other LinkedIn profiles, among other things. In particular, Garante warned that the processing of personal data deriving from this incident is prohibited by privacy legislation, since such information is the result of unlawful processing, and drew users' attention to the importance of being wary of any anomalies connected to their telephone numbers, among other things.

You can read the press release, only available in Italian, here.

Hong Kong

The Office of the Privacy Commissioner for Personal Data ('PCPD') announced, on 9 April 2021, that it had submitted a letter of enquiry to LinkedIn to ascertain the details on the alleged scraping and sale of data of users of LinkedIn. In particular, the PCPD noted that it seeks to receive clarifications on the incident, including the number of Hong Kong users that may have been affected, and reminded LinkedIn that it should notify the affected users as soon as possible to mitigate risks associated with this incident.

You can read the press release here.

Luxembourg

The Luxembourg data protection authority ('CNPD') announced, on 9 April 2021, that it had been notified by the DPC of an exchange it had with Linkedin regarding media stories of a data breach. Concurrently, the CNPD noted that it had asked how many Luxembourg citizens had been affected. Notably, the CNPD estimated that the affected data appeared to have been downloaded via a data scraping technique. 

You can read the press release, only available in French, here.

Switzerland

The Federal Data Protection and Information Commissioner ('FDPIC') released, on 13 April 2021, a statement in which it outlined that Linkedin and Clubhouse had both been affected by breaches of personal data. Further, the FDPIC noted that it will continue to observe the situation and that it had contacted the relevant European authorities. In addition, the FDPIC offered guidance on particular measures that should be taken in response to data breaches. 

You can read the press release here.