Ninth Circuit Sides with Data Scraper and Affirms Preliminary Injunction Against LinkedIn in Data Mining Battle

Sep 23, 2019

Reading Time : 4 min

As competition for data analytics grows fierce, the Ninth Circuit has disfavored an attempt to lock down publicly available data against competition, signaling caution for those in the business of collecting or hosting such data. 

HiQ’s business model relies on “scraping” public data from public professional profiles (primarily found on LinkedIn) and using those profiles to create data analytics to sell as business insights. HiQ alleged that, for at least two years, LinkedIn had known that hiQ uses bots to scrape data from public LinkedIn profiles for this purpose, but just one month before announcing the launch of its own data analytics initiative, LinkedIn sent hiQ a cease-and-desist letter and blocked it from accessing profile data hosted on LinkedIn. Thereafter, hiQ filed for a temporary restraining order (TRO) and declaratory judgment.

Judge Chen in the Northern District of California issued a preliminary injunction against LinkedIn, barring it from imposing any legal or technical barriers to hiQ’s access. He reasoned that hiQ had established a likelihood of irreparable harm and shown a sharp imbalance of hardships if it could no longer obtain the profile data undergirding its business. Judge Chen also indicated that hiQ had shown serious questions going to the merits of its claims, which include allegations of unfair business practices, intentional interference with contract and promissory estoppel, and violation of free speech under the California Constitution.

The Ninth Circuit affirmed Judge Chen’s decision under an abuse-of-discretion standard of review. It agreed that hiQ had shown a likelihood of irreparable harm and substantial hardship without access to the data. The Ninth Circuit held that LinkedIn had failed to identify privacy or property interests in the data that outweighed the risks to hiQ’s business. It also agreed that hiQ had presented serious questions as to the merits, but due to the issues presented on appeal, the court limited its merits analysis to hiQ’s claims for unfair competition and tortious interference with contractual relations and LinkedIn’s affirmative defense of Computer Fraud and Abuse Act (CFAA) preemption. The court also held that the injunction was in the public interest to prevent information monopolies.

The Ninth Circuit’s decision touches on three key issues for companies currently in – or seeking to enter – the business of hosting or mining public data online.

First, public data may weigh in favor of public, competitive use. In deciding that the balance of hardships tipped sharply in hiQ’s favor, and in evaluating the public interests at stake, the Ninth Circuit held that a company’s competitive interest in accessing public data outweighed the minimal privacy and security interests that LinkedIn had identified in response.

The court held that “there is little evidence that LinkedIn users who choose to make their profiles public actually maintain an expectation of privacy with respect to the information that they post publicly.” It further noted: “LinkedIn has no protected property interest in the data contributed by its users, as the users retain ownership over their profiles.”

The court further reasoned that while “Internet companies and the public do have a substantial interest in thwarting denial-of-service attacks and blocking abusive users, identity thieves, and other ill-intentioned actors,” hiQ’s usage did not present such a threat.

Second, to withdraw permissions for use of public data under the CFAA, actions may speak louder than words. The court held that hiQ had raised serious questions as to whether normal access of public online profiles stored on a server constitutes access “without authorization,” even after receipt of a cease-and-desist letter. LinkedIn argued that, once hiQ received the cease and desist letter, its use of the profile data was “without authorization” and thus a violation of the CFAA that preempted hiQ’s state law claims. The court rejected this interpretation.

Instead, the court reasoned that the statute’s legislative history and its language “forbidding ‘access[] . . . without authorization’” concerns access that is “not generally available,” for example, if password protections are imposed. The Ninth Circuit concluded that, because CFAA is an “anti-intrusion” statute rather than a “misappropriation statute,” it did not apply to public profiles “for which access is open to the general public and permission is not required.” This narrow view of the statute is shared by the Second and Fourth Circuits, in contrast with the First, Fifth, Seventh, and Eleventh Circuits, which have broadened the CFAA’s scope to prohibit abuse of permitted access for forbidden purposes.

Third, even for hosts of public data, data scraping might be first come, stay served. The court also held that hiQ had raised serious questions as to the merits of its claims for unfair competition and intentional interference with contractual relations. HiQ alleged that LinkedIn knew about its data scraping practices and its contracts with customers like eBay, Capital One, and GoDaddy and denied access to hiQ only after LinkedIn announced its decision to leverage its own data in a similar way.

Given this, LinkedIn’s knowing exclusion of hiQ could show anti-competitive intentions: “If companies like LinkedIn, whose servers hold vast amounts of public data, are permitted selectively to ban only potential competitors from accessing and using that otherwise public data, the result—complete exclusion of the original innovator in aggregating and analyzing the public information—may well be considered unfair competition under California law,” even if LinkedIn had a business purpose for the decision. The court held that, because LinkedIn allegedly knew about the contractual relationships, its disruption of those relationships would be justified only “to protect an interest that has greater social value than insuring the stability of the contract” that suffered interference.

Notwithstanding these holdings, the Ninth Circuit left LinkedIn ammunition by suggesting other state law claims that could apply. The court noted that trespass to chattels, copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract or breach of privacy could lie against a data scraper like hiQ. It remains to be seen if and how such claims will fare in defending the interests of data hosts like LinkedIn.

Share This Insight

Previous Entries

Data Dive

November 19, 2024

The European Union’s AI Office published the inaugural General-Purpose AI Code of Practice on November 14, 2024. The Code is intended to assist providers of AI models in their preparations for compliance with the forthcoming EU AI Act, to be enforced from August 2, 2025. The Code is designed to be both forward-thinking and globally applicable, addressing the areas of transparency, risk evaluation, technical safeguards and governance. While adherence to the Code is not mandatory, it is anticipated to serve as a means of demonstrating compliance with the obligations under the EU AI Act. Following a consultation period that garnered approximately 430 responses, the AI Office will be empowered to apply these rules, with penalties for nonconformity potentially reaching 3% of worldwide turnover or €15 million. Three additional iterations of the Code are anticipated to be produced within the coming five months.

...

Read More

Data Dive

November 15, 2024

On October 29, 2024, the DOJ issued a proposed rule prohibiting and restricting certain transactions that could allow persons from countries of concern, such as China, access to bulk sensitive personal data of U.S. citizens or to U.S. government-related data (regardless of volume).

...

Read More

Data Dive

October 17, 2024

During the course of any lending transaction, lenders will conduct a due diligence review of the borrower, including reviewing any relevant “know-your-customer” information.

...

Read More

Data Dive

September 17, 2024

Following the publication of the European Union’s Artificial Intelligence Act (AI Act or Act) on 12 July 2024, there are now a series of steps that various EU bodies need to take towards implementation. One of the first key steps is in relation to the establishment of codes of practice to “contribute to the proper application” of the AI Act.

...

Read More

Data Dive

August 6, 2024

On July 30, 2024, the Senate passed the Kids Online Safety and Privacy Act (S. 2073) via an overwhelmingly bipartisan vote of 91-3 shortly before departing for the August recess.

...

Read More

Data Dive

July 18, 2024

On 12 July 2024, the European Union Artificial Intelligence Act (AI Act or Act) was published in the Official Journal of the European Union (EU), marking the final step in the AI Act’s legislative journey. Its publication triggers the timeline for the entry into force of the myriad obligations under the AI Act, along with the deadlines we set out below. The requirement to ensure a sufficient level of AI literacy of staff dealing with the operation and use of AI systems will, for example, apply to all providers and deployers on 2 February 2025.

...

Read More

Data Dive

July 18, 2024

On June 18, 2024, the United States Securities and Exchange Commission (SEC) announced a settlement with R.R. Donnelley & Sons Company (RRD) for alleged internal control and disclosure failures following a ransomware attack in 2021. Without admitting or denying the SEC’s findings, the business communications and marketing services provider agreed to pay a civil penalty of over $2.1 million to settle charges alleging violations of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 (Exchange Act) and Exchange Act Rule 13a-15(a).1

...

Read More

Data Dive

June 11, 2024

In May, the National Institute of Standards and Technology (NIST) issued updated recommendations for security controls for controlled unclassified information (CUI) that is processed, stored or transmitted by nonfederal organizations using nonfederal systems, (NIST Special Publication 800-171 (SP 800-171), Revision 3). These security requirements are “intended for use by federal agencies in contractual vehicles or other agreements that are established between those agencies and nonfederal organizations.”1 While these new controls are only applicable to nonfederal entities that agree to comply with the new issuance, Revision 3 signals the next phase of expected security for government contractors.

...

Read More

© 2024 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.