News

Global privacy regulators join forces to warn about scraping publicly available information

Image
Image

On August 24, 2023, twelve international data protection and privacy regulators from the Americas, Europe, Africa, and APAC announced their “global expectations of social media platforms and other sites to safeguard against unlawful data scraping”. This appears to be in response to the increasing use of data scraping technologies and reiterates guidance previously provided by regulators like the Office of the Australian Information Commission and United Kingdom’s Information Commissioner’s Office following investigations into the personal information handling practices of Clearview AI, Inc. and breach notification obligations.

The regulators are looking for feedback from companies by September 24, 2023 about how social media platforms currently comply, or intend to comply with the expectations and principles detailed in the joint statement. According to the statement, it has been sent directly to many of the highest profile social media companies.

Key takeaways from the statement include reiterating that:

  • Publicly accessible personal information is still subject to data protection and privacy laws in most jurisdictions.

  • Social media companies and the operators of websites that host publicly accessible personal data have obligations under data protection and privacy laws to protect personal information on their platforms from unlawful data scraping.

  • Mass data scraping operations that collect personal information can constitute reportable data breaches in many jurisdictions and many data protection authorities have seen increased reports of mass data scraping.

  • Individuals can take steps to protect their personal information from data scraping.

  • Social media companies have a role to play in enabling users to engage with their services in a privacy protective manner.

The statement highlights privacy risks associated with data scraping, including the use of scraped data for targeted cyberattacks, identity fraud, monitoring, profiling and surveilling individuals, unauthorized political or intelligence gathering purposes, and unwanted direct marketing or spam. It appears to take a grim view of scraping, focusing on its potential to be used for nefarious purposes. While data collected from scraping may be used for such purposes, it can also enable critical activities like creating search engines or machine learning and artificial intelligence technologies, research, cybersecurity, fraud prevention, copyright protection, among many others.

The statement suggests that website operators that suffer mass data scraping of personal information may be subject to data breach reporting obligations. And it seems to assert that website operators have an affirmative obligation to try to block unlawful scraping through implementing safeguards such as rate limiting traffic and identifying and blocking bots. The statement does not make it clear where the line is between lawful and unlawful scraping or how a website operator might distinguish between the two.

It also outlines how social media companies and other websites should protect individuals’ personal information from unlawful data scraping to meet regulatory expectations, such as by implementing multi-layered technical and procedural controls to mitigate risk, and gives concrete examples of the types of controls they would like to see.

Recognizing that safeguards are not 100% effective, the statement emphasizes the steps that individuals can take to help minimize the privacy risks from scraping. These include individual reviewing information provided by social media companies and websites about how their personal information will be shared, thinking about the amount and kinds of information shared, and utilizing the settings and controls provided by companies over how their personal information is shared online.

Ultimately, this statement emphasizes the increasing level of concern regulators across the globe have in web scraping activities and how personal data is being used. Those involved in data scrapping, as well as those websites likely to be targeted for such activities, should take notice of these concerns as part of their ongoing data governance and privacy compliance efforts.

Hopefully the regulators will provide further clarification on the extent to which they are expecting companies outside of the social media industry to implement these types of restrictions on scraping, and how companies would be expected to assess lawful versus unlawful scraping activities. In the interim, social media companies and other companies that present significant volumes of personal data on their website may wish to consider whether protective measures such as those outlined in this statement may be appropriate.

 

Authored by Eduardo Ustaran, Bret Cohen, Nathan Salminen, and Alyssa Golay.

Search

Register now to receive personalized content and more!