Data Scraping and Privacy Protection: A Global Effort
Introduction
In October 2024, the International Enforcement Cooperation Working Group (IECWG) of the Global Privacy Agency (GPA) released its Concluding Joint Statement on data scraping and the protection of privacy. This statement is the culmination of engagement with social media companies (SMCs) and various stakeholders, including the Mitigating Unauthorized Scraping Alliance (MUSA).
The Concluding Joint Statement
The Concluding Joint Statement outlines three objectives:
- To outline the key privacy risks associated with data scraping
- To set out how SMCs and other organizations should protect individual personal information
- To set out measures that individuals can take to protect their personal data
Key Takeaways
- Publicly accessible personal data is subject to data protection and privacy laws in most jurisdictions
- SMCs and operators that host publicly accessible personal data have an obligation to protect personal data from unlawful scraping
- Mass data scraping can constitute reportable data breaches in many jurisdictions
- Individuals can take steps to protect their personal data, and companies should enable users to engage with them in a way that protects their privacy
- The responsibility to protect personal data against unlawful scraping also applies to large and small and medium-sized enterprises (SMEs)
- SMEs can utilize cost-effective measures provided by third-party service providers to comply with their obligations
Permitted Scraping, Lawful Scraping, and Access to Data for Research and Socially Beneficial Purposes
- Contractual terms cannot render scraping lawful; SMCs and other organizations must ensure there is a legal basis, maintain transparency, and obtain consent when required by law
- Data protection requires a dynamic response; SMCs and other organizations should implement multilayered technical and procedural controls and safeguards that are regularly reviewed and updated
- Providing access to data through an Application Programming Interface (API) allows greater control over the scraped data
AI and Data Scraping
- AI can serve to enhance protection against unlawful scraping
- SMCs and other organizations that use data from their platforms, including scraped data, to train Large Language Models must comply with data protection and privacy laws, as well as AI-specific laws or available guidelines and principles on the subject
Conclusion
The Concluding Joint Statement highlights the importance of data scraping and privacy protection in light of the latest developments in generative AI. The global effort to address this issue is crucial in ensuring the protection of individuals’ rights and freedoms.
FAQs
- What is data scraping?
Data scraping refers to the automated extraction of personal data from the web. - What is the purpose of the Concluding Joint Statement?
The Concluding Joint Statement aims to outline the key privacy risks associated with data scraping, set out how SMCs and other organizations should protect individual personal information, and set out measures that individuals can take to protect their personal data. - Who is involved in the Concluding Joint Statement?
The Concluding Joint Statement is signed by 16 data protection authorities from around the world, including Australia, Canada, the United Kingdom, and more. - What is the significance of AI in data scraping?
AI can serve to enhance protection against unlawful scraping, and SMCs and other organizations must comply with data protection and privacy laws, as well as AI-specific laws or available guidelines and principles on the subject.
