LinkedIn is a professional networking platform that allows users to connect with other professionals, find jobs, promote their business, and more. With over 800 million members globally, LinkedIn processes large amounts of personal data. This raises the question – is LinkedIn considered a data controller or a data processor under data protection laws?
What is a data controller?
A data controller is the entity that determines the purposes and means of processing personal data. They decide how and why personal data is processed. Under the EU’s General Data Protection Regulation (GDPR), the data controller bears primary responsibility for compliance.
Some key characteristics of data controllers include:
- They determine the purposes and means of processing personal data
- They make decisions about what personal data is collected and how it is used
- They are responsible for implementing appropriate security measures
- They must ensure compliance with data protection laws and principles
What is a data processor?
A data processor is an entity that processes personal data on behalf of a data controller. They act according to the instructions provided by the controller. Under the GDPR, data processors have specific legal obligations – but the primary responsibility still lies with the controller.
Key characteristics of data processors include:
- They process personal data on behalf of a controller
- They must ensure security of data processing
- They must only act on the documented instructions of the controller
- They assist controllers with compliance obligations
Is LinkedIn a data controller or processor?
When assessing whether an entity is a controller or processor, you have to consider:
- Who determines the purposes and means of processing
- Who makes key decisions about data collection and use
- Who benefits from the data processing
Looking at LinkedIn’s data practices, they appear to take on the role of a data controller:
- LinkedIn decides what user data to collect, how to analyze it, and what purposes to use it for
- LinkedIn determines the features and services to offer based on their data practices
- LinkedIn benefits from the monetization of user data for advertising and other purposes
LinkedIn members do not instruct LinkedIn on how to handle their data – LinkedIn makes these decisions independently. This suggests LinkedIn acts as a data controller.
LinkedIn’s privacy policy and terms of service
Looking at LinkedIn’s privacy policy and terms of service also provides evidence that they are a data controller:
- The privacy policy states that LinkedIn controls and is responsible for member data
- It outlines the various purposes LinkedIn uses member data for, suggesting they determine the means and purposes of processing
- The terms give LinkedIn broad rights to collect, use, and share member data
LinkedIn’s role is not merely processing data on behalf of members – they make independent decisions about member data to benefit their business.
LinkedIn’s public statements
In a public statement on their GDPR compliance approach, LinkedIn says:
As a controller of personal data, LinkedIn adheres to key GDPR privacy principles including purpose limitation, data minimization, storage limitation, integrity and confidentiality.
They go on to describe their role as determining the purposes and means of processing member data. This confirms that LinkedIn considers itself a data controller under the GDPR.
LinkedIn’s processor role
While LinkedIn acts as a controller for member data, they can also act as a processor in some cases. For example:
- When processing employee data for corporate customers using Recruiter or other HR tools
- When handling learning data for customers using LinkedIn Learning
In these cases, LinkedIn is processing data on behalf of and under the instruction of the customer. So for this subset of data, they take on a processor role.
Summary: LinkedIn is primarily a data controller
In summary, the evidence strongly suggests LinkedIn acts as a data controller for the personal information of its members:
- LinkedIn decides what member data to collect and how to process it
- They determine the purposes and means of processing member data
- Their privacy policy and terms give them broad rights over member data use
- They have publicly acknowledged their controller role for member data
The exceptions are specific enterprise services where they process customer data under instruction as a processor. But their core business model relies on the collection and monetization of member data as a controller.
Compliance implications
As a data controller, LinkedIn has primary responsibility for compliance with data protection laws like the GDPR. This includes obligations like:
- Implementing data protection by design and default
- Maintaining records of processing activities
- Appointing a Data Protection Officer
- Conducting Data Protection Impact Assessments for high-risk processing
- Offering clear privacy information to members
- Handling member rights requests like access, rectification, erasure, etc.
Failure to comply with these controller obligations can lead to substantial fines under the GDPR – up to €20 million or 4% of global annual turnover.
Some examples of GDPR enforcement actions against LinkedIn include:
- 2021 – €25,000 fine by the Belgian DPA relating to unclear privacy communication and consent issues
- 2022 – €275,000 fine by the French DPA regarding cookie consent concerns
As a major controller of personal data, LinkedIn is likely to face ongoing scrutiny of its privacy and security practices.
Best practices for compliance
To improve their compliance posture as a data controller, some steps LinkedIn could take include:
- Reviewing and enhancing privacy notices and consent mechanisms
- Increasing transparency around data collection and use
- Implementing improved access and deletion options for members
- Conducting regular data protection audits and impact assessments
- Providing GDPR and data protection training to all employees
- Instituting stricter oversight and accountability for data practices
- Committing to data minimization and purpose limitation principles
Conclusion
LinkedIn clearly takes on the role of a data controller when it comes to member personal information. They independently determine why and how to collect and process member data to power their platform, products, and advertising business model. While they can function as a processor in some enterprise service contexts, their core business relies on controller-based processing of member data. As a result, LinkedIn is responsible for ensuring compliance with key data protection requirements imposed on controllers.