On 24 August 2023, in conjunction with data protection authorities in eleven other countries, the UK's Information Commissioner's Office ("ICO") published a joint statement regarding data scraping and the protection of privacy.
Data scraping refers to an automated means of extracting data from the web. While not in itself illegal, data protection authorities have reported that incidents involving mass data scraping are increasing, particularly from social media companies ("SMCs") and other websites hosting publicly available personal data. The consequences of these privacy breaches can be severe and long-term.
The joint statement therefore targeted three key areas: the privacy risks of unlawful data scraping; how SMCs and other websites should the protect personal data for which they are responsible; how individuals can minimise privacy risks from data scraping.
Privacy risks of unlawful data scraping
There are many privacy risks unleashed by the unlawful scraping of personal information, but broadly they may be separated into two categories: the exploitation of personal data to target individuals, and the exploitation of personal data for purposes beyond the knowledge or consent of data subjects.
Individuals may be targeted by personalised cyberattacks, phishing scams, or social engineering, as well as unwanted direct marketing and spam. Without the data subject's knowledge, this data may be sold for the purposes of identity fraud or unauthorised surveillance. In this way, details of an individual's finances, personal life, political views, and even movements may be amassed by malicious actors, including unauthorised foreign governments and intelligence agencies.
At the root of the privacy risk to individuals is the loss of control over their personal information, scraped without their knowledge and used for purposes which they neither expected nor agreed to. Once scraped, the personal information may continue to be used and shared in perpetuity, rendering it effectively impossible for an individual to control, limit, or delete their digital presence. Furthermore, this may have a direct negative impact on the digital economy as users become increasingly disillusioned and lose trust in SMCs and other websites.
How SMCs and other websites should protect personal data
In many jurisdictions, it is the legal responsibility of the host SMC or website to protect even publicly accessible personal information from unlawful data scraping. With new methods of data scraping constantly emerging, the statement recommends that SMCs and other websites implement protective measures including for the mitigation of risk which are similarly dynamic. Multi-layered technical and procedural controls are therefore of critical importance.
Controls suggested by the joint statement include: designating dedicated data protection and privacy teams to implement controls and monitor threats, imposing rate limiting access on accounts where unusual or excessive activities are detected, and identifying bots and suspicious IP addresses using techniques like CAPTCHA. Also proposed is the regular monitoring, review, and improvement of these security control frameworks.
In order to build trust with individual users, the SMCs and websites themselves are advised to proactively raise awareness of the risks associated with sharing personal data online, and make transparent the protective measures and privacy settings that they have in place.
How individuals can protect their own personal data
Since no data privacy safeguard can ever be entirely guaranteed, individuals are asked to take a long-term view of the personal information which they choose to share publicly. The statement recommends that users empower and protect themselves by minimising the extent of the data they share, reading the privacy policies provided by the SMCs and websites, reviewing their individual privacy settings, and reporting any abuses to the relevant data protection authority.
Going Forwards
Urging the SMCs and other websites to take action, the statement concludes with an invitation to submit feedback on how they intend to comply by 1 month from the issuance. Although the intended audience encompasses both users and host platforms, it was sent directly to six global sector leaders: Alphabet Inc. (YouTube), ByteDance Ltd. (TikTok), Meta Platforms Inc. (Instagram, Facebook, Threads), Microsoft Corporation (LinkedIn), Sina Corp (Weibo), and X Corp. (X, previously Twitter).
This global initiative, brought together by the Global Privacy Assembly, demonstrates that the international scope of the issues involved is matched by a consistent approach to data protection principles and practice across jurisdictions.
The joint statement on data scraping and the protection of privacy can be found here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
