A  coalition of 16 international data protection authorities issued a concluding statement emphasizing the need for robust privacy protections against unlawful data scraping. This October 2024 statement builds upon their initial joint declaration from August 2023, reinforcing expectations for social media companies (SMCs) and other organizations to safeguard publicly accessible personal data.

1. Applicability of Privacy Laws: Publicly accessible personal data remains subject to data protection and privacy laws in most jurisdictions. SMCs and website operators are obligated to protect such data from unauthorized scraping.

2. Contractual Limitations: While some platforms permit data scraping through terms and conditions, these agreements cannot override privacy laws. Organizations must ensure a lawful basis for data collection, obtain consent where required, and enforce compliance among third parties.

3. Advancements in Scraping Techniques: The coalition highlighted the increasing sophistication of scraping methods, often enhanced by artificial intelligence (AI). While some scrapers use AI to evade detection, platforms are also employing AI to bolster their protective measures.

4. Implementation of Protective Measures: Engagements with platforms such as Alphabet, ByteDance, Meta, Microsoft, Sina Corp., and X Corp. revealed that many SMCs have adopted multi-layered protections. These include user behavior monitoring, CAPTCHAs, rate limiting, and legal actions like cease-and-desist letters to deter unauthorized access.

5. Challenges for SMEs: The statement acknowledged that small and medium enterprises (SMEs) might face resource constraints in implementing these protections. However, SMEs are equally responsible for safeguarding personal data and can adopt cost-effective solutions like basic bot detection and rate limiting. Third-party providers can also assist in maintaining compliance.

6. Authorized Scraping for Beneficial Purposes: When SMCs permit data scraping for social or commercial benefits, they must adhere to strict guidelines. Providing access via Application Programming Interfaces (APIs) allows better control over data sharing and monitoring, ensuring transparency and additional safeguards against unauthorized scraping.

7. Use of Scraped Data in AI Development: The coalition expressed concerns over the use of scraped data to train generative AI models. They urged organizations to comply with both privacy and AI-specific laws, referencing global frameworks like the G7’s Hiroshima Process as guiding principles for responsible AI data use.

The coalition comprises data protection authorities from the following jurisdictions:

• Australia: Office of the Australian Information Commissioner

• Argentina: Agency for Access to Public Information

• Canada: Office of the Privacy Commissioner of Canada

• Colombia: Superintendence of Industry and Commerce

• Guernsey: Office of the Data Protection Authority

• Hong Kong: Office of the Privacy Commissioner for Personal Data

• Israel: Privacy Protection Authority

• Jersey: Office of the Information Commissioner

• Mexico: National Institute for Transparency, Access to Information and Personal Data Protection

• Monaco: Commission for the Control of Personal Information

• Morocco: National Commission for the Control of Personal Data Protection

• New Zealand: Office of the Privacy Commissioner

• Norway: Data Protection Authority

• Spain: Spanish Data Protection Agency

• Switzerland: Federal Data Protection and Information Commissioner

• United Kingdom: Information Commissioner’s Office

Since the initial statement, unlawful data scraping has garnered increased attention, partly due to the rapid deployment of generative AI systems. Data protection authorities worldwide are actively raising awareness and issuing guidance on this issue. The coalition emphasized that all organizations hosting publicly accessible personal information must implement adequate safeguards, warning that noncompliance could lead to enforcement actions, including joint investigations and penalties.

The statement also called for continued collaboration among global regulators and encouraged SMCs to work together in addressing data scraping threats. The coalition expressed appreciation for the openness of industry discussions, which allowed for the establishment of these expectations without formal enforcement, benefiting all parties involved.

Need Help?

Keeping track of the growing AI regulatory landscape can be difficult. So if you have any questions or concerns, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.