The European privacy group noyb today filed a formal complaint with the Austrian Data Protection Authority against LinkedIn Ireland Unlimited Company, alleging that the Microsoft-owned professional network is locking users out of their own personal data unless they pay for a premium subscription - a practice noyb argues directly contradicts the access rights guaranteed under Article 15 of the General Data Protection Regulation.

The complaint, assigned noyb case number C104, was submitted to the Österreichische Datenschutzbehörde in Vienna on 5 May 2026. It targets a specific and commercially significant feature: LinkedIn's display of profile visitor data. The platform tracks which members view a given user's profile and can show up to 365 days of that history - but only to paying Premium members. Free users, in other words, can see that someone visited their profile but cannot find out who without upgrading.

The paywall and the data access problem

The mechanics are straightforward. According to the complaint documents, on 13 March 2026, the affected LinkedIn user could see that 55 people had visited their profile in the preceding 90 days. The notification was visible. The names were not - and would not become so without an upgrade to LinkedIn's paid Premium tier, which carries a listed monthly price of approximately 29.74 euros.

LinkedIn does offer a narrow partial exception for free users. Those who disable their own privacy mode - meaning those who allow LinkedIn to identify them as a visitor when they look at other profiles - can see up to three of their own profile visitors at no cost. According to the complaint, this represented roughly 5 percent of the 55 visitors recorded in the 90-day window for the affected user. Everyone else remained invisible unless money changed hands.

The platform's privacy settings give users three visibility options when visiting profiles: showing their name and headline, showing only private profile characteristics, or full private mode. Choosing the private options disables the profile viewer feature and clears the viewing history. This means users face a tradeoff: either expose their own browsing activity to the people they visit, accept partial anonymity that disqualifies them from seeing their own visitors, or pay for Premium to access everything. The design structure, noyb argues, is constructed to push users toward the paid tier.

The access request and LinkedIn's response

The complainant followed a procedurally conventional path before filing with the regulator. According to the complaint, on 16 October 2025 the user submitted a formal data access request to LinkedIn using the platform's own download tool - the mechanism LinkedIn's own privacy policy directs users to for exercising data subject rights. The downloaded data did not contain any information about profile visitors.

The user then contacted LinkedIn again, pointing out that the data copy appeared incomplete with respect to profile visitors. LinkedIn responded by stating it only provides data belonging to the requesting user, not data belonging to other members - and therefore would not include information about which LinkedIn accounts had viewed the profile.

A third approach followed. The complainant raised the logical inconsistency directly: the same visitor information is made available to Premium subscribers, which means LinkedIn clearly processes and stores it and is willing to share it - just not for free and not in response to a GDPR access request. According to the complaint documentation, LinkedIn declined again, this time without offering substantive reasoning. The correspondence with LinkedIn support spans the period from October 2025 through January 2025, according to the evidence cited in the complaint.

Noyb's legal analysis rests on a structural tension within LinkedIn's own position. Under Article 15(1) of the GDPR, data subjects have the right to obtain confirmation from a controller as to whether personal data concerning them is being processed, and if so, to receive a copy of that data. Article 4(1) of the regulation defines personal data broadly: any information relating to an identified or identifiable natural person. Information about which named LinkedIn users viewed a particular profile plainly falls within that definition, according to the complaint.

The complaint also invokes Article 15(1)(c), which requires controllers to inform data subjects about the recipients or categories of recipients to whom personal data has been or will be disclosed. Profile visitors, in noyb's analysis, can be understood as recipients in this sense: when a user views a profile, data about that viewing activity is associated with both accounts. Where specific recipients are known, they must be named.

LinkedIn's counter-argument - that disclosing visitor identities would infringe the rights and freedoms of those third parties under Article 15(4) - is the pivot on which the case turns. Noyb's rebuttal is pointed. According to the complaint, LinkedIn's own Privacy Mode settings allow users to choose whether to appear when others view their profile visitor lists. Users who do not activate private mode have effectively consented to being identified in this context. The information can therefore lawfully be disclosed to Premium users - and if it can be lawfully disclosed to Premium users, the third-party rights argument cannot simultaneously justify withholding it from users exercising a statutory access right.

Martin Baumann, data protection lawyer at noyb, put the contradiction plainly. According to the noyb press release: "Selling data to its own users is a popular practice among companies. In reality, however, people have the right to receive their own data free of charge. It is absurd that companies only seem to recognise the importance of data protection when they want to sell data. For example, when LinkedIn has no problem handing over certain data in exchange for money - but suddenly becomes concerned about the privacy of other users when you exercise your right of access."

Baumann elaborated on the logical inconsistency in a second quoted statement: "The protection of the rights and freedoms of others can definitely be a reason for not disclosing shared personal data. However, if a company has sought the relevant consent and is clearly willing to make the same data available for a fee, this argument no longer holds water."

The complaint therefore characterises LinkedIn's refusal as commercially motivated rather than legally grounded. According to the filed document, the only plausible explanation for denying the access request while selling the same data through Premium is that LinkedIn is attempting to monetise the information a second time - first by charging users for visibility into their own data, then by invoking data protection as a shield against handing it over for free.

What noyb is requesting

The complaint before the Austrian Data Protection Authority seeks three things. First, a finding that LinkedIn violated the complainant's right of access under Article 15 GDPR by failing to provide information about profile visitors who had set their accounts to be visible. Second, an order under Article 58(2)(c) GDPR requiring LinkedIn to supply a complete response to the access request - specifically including profile visitor data at the same level of detail available to Premium subscribers. Third, the imposition of a fine under Article 58(2)(i) in conjunction with Article 83(5)(b), which covers infringements of data subjects' rights and carries a maximum penalty of 20 million euros or 4 percent of total worldwide annual turnover, whichever is higher.

The complaint was filed by noyb under Article 80(1) GDPR, which allows non-profit organisations focused on data protection rights to represent individuals in regulatory proceedings. Noyb, registered in Vienna with number ZVR 1354838270, has used this provision extensively across its case portfolio.

The broader pattern for LinkedIn

This is not the first time LinkedIn has faced serious GDPR scrutiny. The Irish Data Protection Commission, acting as LinkedIn's lead EU supervisory authority under the one-stop-shop mechanism, imposed a 310 million euro fine on LinkedIn Ireland in October 2024 for processing personal data for targeted advertising without a valid legal basis. That investigation originated from a complaint by the French advocacy group La Quadrature Du Net filed in 2018.

Earlier in 2024, LinkedIn discontinued group-based ad targeting in Europe following a Digital Services Act complaint from civil society groups, which had alleged the practice could allow indirect targeting based on sensitive data categories. The company removed the feature voluntarily while disputing the underlying allegation.

separate and more technically detailed investigation published in April 2026 - referred to publicly as BrowserGate - documented a covert browser scanning system that probed for more than 6,000 installed Chrome extensions on users' devices, collecting 48 hardware and software characteristics per session and routing data through third-party cybersecurity firms. That investigation triggered a class action complaint filed on 6 April 2026 in US federal court in California.

The accumulation of these cases points toward a platform navigating an increasingly pressured relationship with European data protection law. The visitor data complaint is narrower in scope than BrowserGate, but the underlying dynamic is the same: a gap between what LinkedIn says it can share and what it actually shares, depending on who is paying.

The wider context: monetising access rights

Noyb's press release frames the LinkedIn case as part of a wider pattern in which companies charge fees for access to data that, under the GDPR, should be available free of charge. The organisation cites examples including access requests processed by creditors' associations and fees for correcting names on event tickets. In each case, the logic is similar: services that companies charge for overlap with rights that European law guarantees at no cost.

This structural tension matters for the advertising and marketing industry. LinkedIn is a major B2B advertising platform, and the professional data it holds - job titles, employer relationships, seniority levels, industry affiliations - underpins the targeting capabilities that advertisers pay to access. The profile visitor feature, meanwhile, is one of the platform's core engagement tools. Knowing who views a profile is valuable for sales prospecting, recruiting, and business development. Making that visibility a Premium exclusive has been central to LinkedIn's subscription monetisation strategy.

The problem that noyb is surfacing is not merely about one user and 55 profile visitors. It raises a question about the architecture of the Premium product itself. If visitor data constitutes personal data subject to GDPR access rights - and the complaint argues it clearly does - then the entire visitor-insight feature set may need to be restructured. Either the data is available in response to access requests, or it cannot be sold through Premium. The two cannot coexist without a legally defensible distinction, and LinkedIn has not yet offered one.

The Austrian Data Protection Authority will now determine whether to uphold the complaint. If it does, the corrective order would require LinkedIn to provide the visitor data that was requested. A fine, if imposed, would add to the financial consequences LinkedIn has already incurred from European data protection enforcement in recent years. Whether the case remains within Austrian jurisdiction or escalates through the GDPR cooperation mechanism to LinkedIn's lead supervisory authority in Ireland remains to be seen.

Noyb has filed approximately 800 cases since its founding, according to the organisation's own documentation, targeting companies including Google, Apple, Facebook, and Amazon. The WetterOnline complaint filed in February 2025, in which noyb challenged a weather app's refusal to supply a full copy of user data, follows a structurally similar pattern to the LinkedIn case - a company denying access to data it clearly holds, citing effort or third-party rights, without legal justification. In that case, noyb also requested corrective action and fines under the same GDPR articles.

Timeline

  • June 2024: LinkedIn discontinues group-based ad targeting in Europe following a Digital Services Act complaint. PPC Land, June 2024
  • October 2024: The Irish Data Protection Commission fines LinkedIn Ireland 310 million euros for processing personal data for targeted advertising without valid legal basis. PPC Land, October 2024
  • October 2025: The affected LinkedIn user submits a data access request under Article 15 GDPR using LinkedIn's own download tool. The downloaded file contains no profile visitor data.
  • October 2025: LinkedIn responds, stating it does not share data belonging to other members and will not provide profile visitor information.
  • January 2025: The user contacts LinkedIn a third time, raising the logical inconsistency with Premium data sharing. LinkedIn declines again without explanation.
  • 13 March 2026: The user observes on the LinkedIn platform that 55 people visited their profile in the preceding 90 days - with names blocked behind the Premium paywall.
  • April 2026: A class action lawsuit is filed in the US District Court for the Northern District of California against LinkedIn over the BrowserGate browser extension scanning system. PPC Land, April 2026
  • April 2026: The full technical anatomy of LinkedIn's BrowserGate covert browser intelligence system is published, documenting scanning of more than 6,222 Chrome extensions. PPC Land, April 2026
  • 5 May 2026: Noyb files complaint C104 with the Austrian Data Protection Authority against LinkedIn Ireland Unlimited Company, requesting a finding of Article 15 GDPR violation, a corrective order for full data access, and financial penalties.

Summary

Who: Privacy advocacy group noyb - European Centre for Digital Rights, acting on behalf of a LinkedIn user under Article 80(1) GDPR, filed a complaint against LinkedIn Ireland Unlimited Company. The case is registered as noyb case C104. Martin Baumann, data protection lawyer at noyb, is the named legal representative.

What: Noyb alleges that LinkedIn is violating Article 15 of the GDPR by refusing to provide a user with a copy of their profile visitor data in response to a formal access request, while simultaneously making that same data available to subscribers of its paid Premium membership at approximately 29.74 euros per month. The complaint requests a finding of infringement, a corrective order requiring LinkedIn to supply the data, and the imposition of financial penalties under Article 83(5)(b) GDPR.

When: The complaint was filed with the Austrian Data Protection Authority on 5 May 2026. The underlying access request was first submitted by the complainant in October 2025, with two subsequent follow-up requests. The platform interaction that prompted the complaint occurred on 13 March 2026, when the user could see that 55 profile visits had occurred in the previous 90 days but could not identify any visitors without a Premium subscription.

Where: The complaint was filed with the Österreichische Datenschutzbehörde in Vienna, Austria. The respondent, LinkedIn Ireland Unlimited Company, is based at Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn's lead supervisory authority for GDPR purposes is the Irish Data Protection Commission in Dublin.

Why: Noyb argues that LinkedIn has constructed a commercially motivated contradiction: it invokes data protection and third-party rights as a justification for denying free access to profile visitor data, yet those same third-party privacy concerns do not prevent LinkedIn from sharing the identical information with paying Premium customers. Under the GDPR, the access right in Article 15 cannot be contingent on payment. If a company is willing to disclose personal data for a fee, it cannot simultaneously claim that disclosure would violate the rights of third parties when the same disclosure is requested free of charge under a statutory right.

Share this article
The link has been copied!