Privacy organisation Noyb filed a formal complaint with the Austrian Data Protection Authority this week, alleging that LinkedIn charges users roughly €30 per month to access data they are legally entitled to receive for free. The central question is not whether LinkedIn built a paid feature, but whether it can price access rights that EU law says companies must honour at no cost.
The complaint targets a specific gap between what the platform sells and what it discloses. Premium subscribers get a named, searchable visitor list covering 365 days. Free users see a redacted version that redirects to a signup page. When an Austrian user demanded a full copy of his personal data under GDPR Article 15, LinkedIn’s response omitted the visitor list.
The ‘recipients’ precedent
Noyb’s case rests on GDPR Article 15(1)(c), which gives EU residents the right to know the identities of any “recipients” to whom their personal data has been disclosed. Noyb argues that each person who visits a LinkedIn profile is a recipient of that owner’s data.
There is significant European Court of Justice (ECJ) precedent here. In a 2023 ruling (C-154/21), the court held that where a data controller knows the specific identities of recipients—in that case, customers of the Austrian postal company Österreichische Post—it must name them on request rather than describe categories in the abstract.
LinkedIn’s secondary position, that Privacy Policy disclosure satisfies Article 15, has not been elaborated publicly. The company has not explained whether it is arguing that visitor identities fall entirely outside the scope of the requester’s personal data, whether it is invoking the third-party-rights exception, or both.
A secondary issue runs alongside the access-rights dispute. Noyb says it is “unclear” whether LinkedIn’s practice of logging profile visitors is lawful at all, given the platform does not seek explicit consent for that activity, The Local reported. Users can opt out via a Visibility toggle in settings, heise reported, but whether an opt-out mechanism establishes a valid lawful basis for tracking is a separate regulatory question. Noyb’s position is that even if the tracking itself lacks a valid legal basis, LinkedIn’s obligation to disclose the data it already holds is not diminished by that deficiency.
What the data fight is really about
LinkedIn tracks and stores every identifiable user who accesses a given profile and uses that behavioral data for advertising, heise reported. For around €30 a month, those same records become a named, browsable visitor list for the profile owner. The same company is therefore simultaneously the data collector, the advertising beneficiary, and the vendor selling users a view of their own records.
LinkedIn’s stated reason for excluding the visitor list from the Article 15 response was that visitor identities belong to other members, not to the requester, placing them outside the scope of what the company is obliged to disclose, heise reported.
A LinkedIn spokesperson pushed back on the framing, saying “it is incorrect that only Premium members can see who has viewed their profile.” That is technically true: free users do see some profile-view information. What they cannot access is the full named list, with individual identifiers, job details, and 365-day history. The complaint targets that identifiable-record gap, not aggregate view counts.”
The ‘third-party’ defence
LinkedIn’s strongest available defence sits in Article 15’s final provision: companies may decline to produce data where disclosure would harm the rights of third parties—namely, the visitors. However, LinkedIn’s spokesperson told The Register that “it is incorrect that only Premium members can see who has viewed their profile,” noting that free users do see some information.
“Selling data to its own users is a popular practice among companies”
Martin Baumann, Noyb
Martin Baumann, a lawyer at Noyb, counters that the very existence of the Premium product undermines this privacy defence. “Since LinkedIn does provide information about profile visits to paying Premium members, it cannot consider that disclosing the data would adversely affect the rights of the visitors,” Baumann said.
Noyb is explicitly chasing a precedent. Baumann said the group wants regulators to confirm that “personal data that can be accessed when a user pays for it is also covered by their right of access.” A ruling in Noyb’s favour would, in principle, apply to any platform selling premium analytics tiers built on user behavioral data: professional networks, publishing platforms, creator tools, or any service where users pay to see detailed breakdowns of who engaged with their content. The pressure on platforms to handle user data transparently is also reshaping adjacent areas, including AI-generated fraud targeting job seekers and the growing scrutiny of how behavioural signals are used in advertising.
The complaint targets LinkedIn Ireland, the Microsoft subsidiary responsible for LinkedIn’s European operations, and asks the Austrian DPA for both a compliance order and a financial penalty, heise and APDCAT reported. Because LinkedIn Ireland is an EU entity, the Irish Data Protection Commission acts as LinkedIn’s lead supervisory authority under GDPR’s one-stop-shop mechanism. Any Austrian decision on a cross-border matter may ultimately involve or be referred to the Irish regulator, a process that has historically extended timelines considerably.
Strategic signals for compliance teams
If the Austrian regulator accepts the “recipients” theory, the implications extend to any platform that monetises behavioural analytics tiers built on user data. Compliance teams should track three key signals:
- The ‘recipients’ theory: Whether the Austrian DPA applies the C-154/21 ruling to social media profile views.
- Lawful basis: Whether LinkedIn is forced to seek explicit consent for tracking visitors rather than relying on opt-out toggles.
- Commercial vs Statutory: Whether regulators draw a line between raw data access and tiered commercial features.
“Selling data to its own users is a popular practice among companies,” Baumann said “In reality, however, people have the right to receive their own data free of charge.”
Noyb has a track record of converting targeted individual complaints into binding European precedents. The C-154/21 recipient-disclosure ruling itself grew from the same filing methodology. The Austrian DPA has not commented publicly on the complaint, and the complaint text has not been published.
For compliance teams, the structural lesson is already visible in how the complaint is constructed: if a platform processes specific, identifiable personal data and monetises access to it, sustaining the argument that the same data falls outside a user’s GDPR access rights becomes difficult, particularly where a premium product already demonstrates the company can produce the records on demand. Legal teams navigating these questions may also find value in practical guidance on secure and compliant AI-enabled legal work as regulators sharpen their focus on how platforms process and monetise personal data. Whether the DPA agrees is a different matter. That answer could take years.
Privacy organisation Noyb filed a formal complaint with the Austrian Data Protection Authority this week, alleging that LinkedIn charges users roughly €30 per month to access data they are legally entitled to receive for free. The central question is not whether LinkedIn built a paid feature, but whether it can price access rights that EU law says companies must honour at no cost.
The complaint targets a specific gap between what the platform sells and what it discloses. Premium subscribers get a named, searchable visitor list covering 365 days. Free users see a redacted version that redirects to a signup page. When an Austrian user demanded a full copy of his personal data under GDPR Article 15, LinkedIn's response omitted the visitor list.
