Thursday, 2 February 2012

Smoothing out the lather over LinkedIn

No sooner than I had posted my blog on the way in which LinkedIn updated their privacy conditions (last Monday) than Eric Heath, LinkedIn’s Director of Legal (product) has entered the debate.

Eric has been keen to emphasise that LinkedIn takes privacy very seriously: “I want to be clear about LinkedIn’s priorities when it comes to privacy – we take it very seriously. In fact, our core principle is “Members First” and we strive to put members first in everything we do.”

Eric has also been keen to reassure those who are concerned about the issue that it is not, actually, a new issue, and pointed to a blog that was posted last June, announcing the change: “LinkedIn changed its privacy policy last year to address what we call “social advertising.” We also blogged about it in advance:

Shortly after we started rolling out social advertising, however, our members reacted negatively to our efforts, so, looking to our first principle of putting members first, we listened to the feedback, and rolled back the program. Here's the blog post on that:

Regarding the existence of the social advertising setting within the LinkedIn Settings panel – we are working on updating that in the near term.

Additionally, FYI, this article appeared in the press yesterday via Reuters:”

I, personally, have absolutely no problem with what LinkedIn have done.

What concerns me is if the European Commission were to create a new data protection rule that forbade LinkedIn acting as they have done. After all, in my view, they are a perfectly respectable data controller that has made changes which they don’t consider to be against the legitimate interests of their customers, and they have done so after making information about the change available to their customers.

What many of their customers did not do (including me) is read the material that was published which explained these changes. Why? Presumably, because, like me, they already live in a world of information overload, and they do not have the mental capacity to comprehend the changes that so many controllers make to their privacy policies. And if they don’t have the mental capacity to comprehend so many changes, they certainly won’t be able to “consent” to these changes, given the proposed definition of consent in the draft Regulation.

The mighty Eduardo Ustaran (he of Field Fisher Waterhouse fame) is also concerned at the implications of an over reliance on consent as a condition for legitimising data processing. We both agree that the harder the Commission pushes on consent, the more devalued it gets.

So what is to be done, in this ever more complicated world?

Well, I think it’s time to relax a little, and give responsible data controllers some more slack. We need to balance the legitimate interests of individuals with the legitimate interests of responsible data controllers, who are passionate about providing the best services to their customers. We need to have the confidence to allow data controllers to constantly innovate to improve their offerings to their customers. If the customer doesn’t like it, then they can always blog about it - and very soon their gripe will reach the laptop screens of those who matter. And if the customer really doesn’t like it, they can (generally) find a competing service on the internet.

The last thing we really want to do is to enter into a negative world, one where it’s easy for people to be fobbed off with an excuse along the lines that they can’t have a particular service “because of data protection”. People are never going to be able to be clever enough to understand everything that happens to their personal data. And in the vast majority of instances, this is not a problem as these processes don’t cause harm to the individual.

Let’s try to create a new data protection instrument where it’s easier for controllers to feel free to innovate, rather than restrict them simply because their customers are insufficiently engaged with them to offer informed consent every time they want to try something a bit new.


Members of LinkedIn’s Privacy Professional Worldwide Group can access Eric Heath’s response at