This story has been updated. Please see the most recent update below.

International: DPAs release statements on data scraping

On October 28, 2024, the Office of the Privacy Commissioner of Canada (OPC) announced the publication of a Concluding Statement on data scraping and the protection of privacy. This follows an initial joint statement in August 2023. The Concluding Statement was endorsed by members of the Global Privacy Assembly's (GPA) International Enforcement Cooperation Working Group.

The Concluding Statement was published following industry engagement with social media companies (SMCs) and other organizations including Alphabet Inc. and Microsoft Corporation, among others.

The Concluding Statement outlined that:

• personal information that is publicly accessible is subject to data protection and privacy laws in most jurisdictions;
• SMCs and the operators of websites that host publicly accessible personal data have an obligation to protect publicly accessible personal data from data scraping that violates data protection and privacy laws;
• mass data scraping incidents that harvest personal information can constitute reportable data breaches in many jurisdictions; and
• individuals can take steps to protect their personal information from data scraping, and SMCs have a role to play in enabling users to engage with their services.

Recommendations

In addition, the Concluding Statement recommends and clarifies that:

• organizations should deploy a combination of safeguarding measures and regularly review and update them to keep pace with data scraping;
• while artificial intelligence (AI) is used to evade detection, it can also enhance protections against unlawful data scraping;
• the obligation to protect against unlawful data scraping applies to both large corporations and Small and Medium Enterprises (SMEs);
• where SMCs contractually authorize data scraping of personal data, the contractual terms cannot render scraping lawful;
• organizations who permit scraping of personal data for any purpose, including commercial and socially beneficial purposes, must ensure that they have a lawful basis, are transparent about the scraping they allow, and obtain consent where required;
• organizations should implement adequate measures, including contractual terms and associated monitoring, to ensure the contractually authorized use of scraped personal data is compliant;
• organizations granting lawful permission for third parties to collect publicly accessible personal data from its platform, such as through an applied programming interface (API), can allow the organization greater control over the data and facilitate the detection and mitigation of unauthorized scraping; and
• SMCs and other organizations that use scaped data from their own platforms to train AI, such as large language models (LLM), must comply with data protection and privacy laws.

You can read the press release here and the Concluding Statement here.

Updated: October 30, 2024

Hong Kong: PCPD publishes statement on data scraping

On October 29, 2024, the Office of the Privacy Commissioner for Personal Data (PCPD) published a press release on the joint statement it made as part of the GPA International Enforcement Cooperation Working Group.

The PCPD Privacy Commissioner, Ada Chung Lai-ling, stated that "the PCPD, as the co-chair of the Global Privacy Assembly's International Enforcement Cooperation Working Group, together with the privacy or data protection authorities of other jurisdictions, issued the Joint Statement with the aim of reminding social media platforms and websites that host publicly accessible personal data that they have a responsibility to ensure that those personal data are adequately protected against unlawful data scraping, as well as providing further guidance to the industry."

The PCPD clarified that data scaping can result in personal data being sold on the dark web without the knowledge and consent of the data subject, leading to the exploitation of personal data for targeted cyberattacks, identity fraud, and unwanted direct marketing or spam.

You can read the press release here.

Updated: November 4, 2024

Switzerland: FDPIC provides comments on data scraping

On October 31, 2024, the Federal Data Protection and Information Commissioner (FDPIC) issued a press release commenting on the GPA members' joint statement on data scraping.

The FDPIC highlighted that the joint statement lays out certain expectations for companies, including to:

• comply with privacy and data protection laws when using personal information, including from their own platforms, to develop AI LLM;
• deploy a combination of safeguarding measures and regularly review and update them to keep pace with advances in scraping techniques and technologies;
• ensure that permissible data scraping for commercial or socially beneficial purposes is done lawfully and in accordance with strict contractual terms; and
• to use platform design elements that make it harder to scrape data using automation.

You can read the press release here.

Updated: November 5, 2024

UK: ICO publishes statement on data scrapping after industry engagement

On October 28, 2024, the Information Commissioner's Office (ICO) issued a news article commenting on the GPA members' joint statement on data scraping. In particular, the ICO noted, together with its counterparts from 16 global data protection authorities, that the ICO engaged with some of the world's largest social media companies after issuing an initial joint statement in August 2023. As a result of this engagement, they have now issued a follow-up statement laying out additional takeaways for the industry.

The follow-up joint statement provides additional guidance to help companies ensure that the personal information of their users is protected from unlawful scraping.

You can read the press release here.

Updated: October 29, 2024

Norway: Datatilsynet publishes statement on data scraping

On October 28, 2024, the Norwegian data protection authority (Datatilsynet) published a press release on the joint statement it made as part of the GPA International Enforcement Cooperation Working Group.

Datatilsynet noted that the statement clarifies that privacy rules determine when data can be scraped to train AI models and explains how AI can both pose challenges to and help in the fight against illegal data scraping.

You can read the press release, only available in Norwegian, here.