Global authorities publish initiative on data scraping and protection

Statement from 12 nations aims to protect users’ data from unlawful scraping, and has been sent to the largest social media companies.

Twelve global data protection and privacy authorities have published a joint statement calling for the protection of people’s personal data from unlawful data scraping taking place on social media sites.

The authorities warn that data scraping, which is an automated way to pull large amounts of information from the web, can create privacy risks and potential harms for social media users.

“This joint statement helps provide certainty, and consistency across borders, in how data protection applies to information people post online. Organisations must have a lawful reason for collecting and using people’s data, even when it is publicly available,” said Stephen Bonner, ICO Deputy Commissioner for Regulatory Supervision.

“International collaboration is critical to promoting and protecting privacy rights in the digital realm and addressing emerging issues such as mass data scraping, which can present a significant risk to fundamental privacy rights,” said Philippe Dufresne, Privacy Commissioner of Canada.

Social media companies

With the joint statement, the authorities have set expectations for how social media companies should protect users’ data from unlawful data scraping.

“The practices outlined in this joint statement reflect common global data protection principles and practices, and are designed to help protect against data scraping of personal information and mitigate against its privacy impacts,” the statement says. “While the expectations are phrased as recommendations (using the term ‘should’), many of them are explicit statutory requirements in particular jurisdictions or may be interpreted as such by courts and data protection authorities.”

It has also been sent directly to Alphabet Inc. (YouTube), ByteDance Ltd. (TikTok), Meta Platforms, Inc. (Instagram, Facebook and Threads), Microsoft Corporation (LinkedIn), Sina Corp. (Weibo), and X Corp. (X, formerly known as Twitter).

“We are seeing increased reports of mass data scraping from social media and remind organisations that such incidents may require reporting to the ICO as a personal data breach,” Bonner added.

Privacy concerns

For the last years, many data protection authorities have seen increased reports of mass data scraping from social media and other websites, which have raised worries about a number of privacy concerns, including;

  • targeted cyberattacks – where data can used by by malicious actors in targeted social engineering or phishing attacks;
  • identity fraud – to apply for fraudulent loan or credit cards, or to impersonate individuals by creating fake social media accounts;
  • monitoring, profiling and surveilling individuals – to populate facial recognition databases and provide unauthorised access to authorities;
  • unauthorised political or intelligence gathering purposes – to be used by foreign governments or intelligence agencies for unauthorised purposes;
  • unwanted direct marketing or spam – to send bulk unsolicited marketing messages.

The joint statement is signed by 12 authorities brought together by the Global Privacy Assembly.

  • Office of the Australian Information Commissioner.
  • Office of the Privacy Commissioner of Canada.
  • Information Commissioner’s Office – United Kingdom.
  • Office of the Privacy Commissioner for Personal Data – Hong Kong, China.
  • Federal Data Protection and Information Commissioner – Switzerland.
  • Datatilsynet – Norway.
  • Office of the Privacy Commissioner – New Zealand.
  • Superintendencia de Industria y Comercio – Columbia.
  • Jersey Office of the Information Commissioner.
  • CNDP (Commission Nationale de contrôle de la protection des Données à caractère Personnel) – Morocco.
  • AAIP (Agency for Access to Public Information) – Argentina.
  • INAI (National Institute for Transparency, Access to Information and Personal Data Protection) – Mexico.