On August 24, 2023, some members of the Global Privacy Assembly’s International Enforcement Cooperation Working Group published a joint statement on data scraping (Statement). Signatories to the Statement include the privacy regulators of the UK, Australia, Argentina, Canada, Colombia, Hong Kong, Jersey, Mexico, Morocco, New Zealand, Norway, and Switzerland.[1] Notably absent from the list of signatories were the U.S. Federal Trade Commission and the California Privacy Protection Agency, both of which are accredited members of the Global Privacy Assembly. This seems likely due to First Amendment considerations in the U.S. regarding data scraping, which have led to “publicly available” information being broadly excluded from recent U.S. state privacy laws.

The Statement identifies the regulators’ opinions on key privacy risks arising from unauthorized data scraping and outlines the expectations that those regulators have for companies whose websites are targets of such activities (such as social media companies) to protect against unlawful practices. The Statement will most likely be followed by a sweep of social media companies and websites for compliance with applicable privacy laws.

Key Privacy Risks

The Statement refers to “data scraping” as involving “the automated extraction of data from the web.” The Statement notes that, in most jurisdictions, the use of personal information is still regulated even if it is made publicly available, and that regulators have observed an increase in the number of incidents involving data scraping. Regulators caution that publicly available data can be used for harmful purposes such as identity fraud, targeted cyberattacks, unauthorized data gathering by intelligence agencies, including surveillance, and unwanted direct marketing.

The Statement is a continuation of regulatory focus on data scraping and by extension potentially data brokerage. EU privacy regulators, including in France[2], Italy, Czech Republic[3], and Greece[4], have investigated and fined companies for scraping data. In November 2022, the Irish privacy regulator fined a social media company EUR 265 million partially for failing to implement appropriate measures to prevent data scraping.[5]

Actions That Companies Are Expected to Take to Protect Against Unlawful Data Scraping

The Statement notes that social media companies and other website operators that process publicly accessible data are responsible for protecting such data from scraping. The Statement recommends that such companies apply a combination of the following “multi-layered technical and procedural controls” to mitigate the risks:

  • Dedicating human resources (e.g., a team or a particular role holder) to identify and implement controls to protect against, monitor for, and respond to scraping activities.
  • Proactively monitoring for potential scraping activities. This could include monitoring new accounts, including how many other users those accounts can view right away, to identify accounts that are being used for data scraping activity.
  • Taking (legal) action against the data scraper. For example, in certain jurisdictions it may be proportionate to block the IP address where data scraping activity is identified, or to send a cease-and-desist letter. In other jurisdictions, taking such action may not be appropriate for other reasons.
  • Increasing user awareness and understanding of privacy settings. This can empower users to decide what information should be publicly available, and therefore provide them a degree of control.
  • Ensure compliance with local privacy law requirements regarding scraping. Depending on the local law, data scraping may constitute a data breach and individuals and privacy regulators may need to be notified.

Next Steps

The regulators invite relevant organizations to respond to the Statement and demonstrate how they comply with the expectations outlined therein by September 24, 2023. The publication of this Statement will likely be followed by a sweep of social media companies and websites for compliance with the above measures (similar to cookie sweeps run in the past) or broader compliance with applicable privacy law when using scraped data.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy issues and investigations in jurisdictions across the globe. For more information, please contact Cédric Burton, Yann Padova, Laura Brodahl, or Tom Evans.

Hattie Watson contributed to the preparation of this blog post.

[1] The Joint Statement is issued by the Global Privacy Assembly’s International Enforcement Cooperation Working Group. The Working Group is constituted of a subset of regulatory authorities who participate on a voluntary basis.

[2] CNIL Clearview AI decision, available at https://www.cnil.fr/en/facial-recognition-20-million-euros-penalty-against-clearview-ai.

[3] Czech Republic decision against company for scraping data, available at https://www.uoou.cz/zpracovani-osobnich-udaju-na-webovych-strankach-formou-preklapeni-udaju-z-verejnych-rejstriku-uoou-00196-20/ds-6496/archiv=0&p1=5649.

[4] Hellenic Data Protection Authority Clearview AI decision press release, available at https://www.dpa.gr/el/enimerwtiko/prakseisArxis/epiboli-prostimoy-stin-etaireia-clearview-ai-inc.

[5] Irish Data Protection Commissioner Meta Decision press release, available at https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-announces-decision-in-facebook-data-scraping-inquiry.