Online platforms given guidance on how to address unlawful data scraping

The advice was issued by 12 DPAs based around the world – including the UK’s Information Commissioner’s Office (ICO), Australia’s Office of the Australian Information Commissioner (OAIC), and the Office of the Privacy Commissioner for Personal Data in Hong Kong – and is contained in a joint statement, which provides further guidance on what controls could be applied (6-page / 863KB PDF).

The statement was issued in response to what the authorities said had been “increased reports of mass data scraping from [social media companies] and other websites” in recent years, which typically involves third parties using technology to automatically extract data from online platforms for their or others’ use.

The DPAs said unlawful data scraping can lead individuals to losing control over how their personal data is processed and raises a number of privacy concerns, including putting individuals at risk of being the victim of targeted cyber attacks, identity fraud, profiling and surveillance, unauthorised political or intelligence gathering, and of receiving unwanted direct marketing or spam.

To address those risks, the DPAs suggested that social media companies and other website operators should apply a “combination” of technical and procedural controls in a manner that is “proportionate to the sensitivity of the information”.

They said the businesses could consider designating a team or specific roles within their organisations “to identify and implement controls to protect against, monitor for, and respond to scraping activities”. Other controls they suggested included identifying patterns in ‘bot’ activity and blocking the IP address where data scraping activity is identified, and ‘rate limiting’ the number of visits per hour or day by one account to other account profiles – and limiting access to their platforms if unusual activity is detected.

The DPAs also advocated the use of ‘cease and desist’ letters among other “appropriate legal action” to obtain the deletion of scraped information and confirmation of the deletion, as well as other actions to enforce terms and conditions prohibiting data scraping.

The businesses were also encouraged to enable their users to “engage with their services in a privacy protective manner”, such as by “increasing user awareness and understanding of the privacy settings they can utilise”.

The DPAs also used their statement to highlight that where data is scraped from platforms on an unlawful basis, it may require the platform operators to report those incidents to DPAs and affected individuals in certain jurisdictions.

The DPAs said: “Given the dynamic nature of data scraping threats, [social media companies] and other websites should continuously monitor for, and respond with agility to, new security risks and threats from malicious or other unauthorised actors to their platform. Controls should be routinely stress-tested and updated to ensure that they remain effective and keep pace with changing technologies. [Social media companies] and other websites should also collect and analyse metrics on scraping incidents, to inform and identify areas of improvement in their security control framework.”

The joint statement on data scraping has been issued at a time when facial recognition software provider Clearview AI is appealing a fine imposed in 2022 by the ICO, which followed a joint investigation with the OAIC. As part of the enforcement action taken, the ICO ordered Clearview AI to stop obtaining and using the personal data of people in the UK sourced from the public internet, and to delete the data it has already gathered of UK residents from its systems too. Data protection authorities in France, Italy and Greece have also imposed fines on Clearview AI under the EU General Data Protection Regulation (GDPR).