The ICO publishes a joint statement with other jurisdictions to address "data scraping"

The Information Commissioner recently signed a final joint statement with privacy authorities in other jurisdictions, addressing the risks posed by data scraping to users of various online platforms (including social media websites).

This follows the initial joint statement from August 2023. It addresses the automated collection of publicly available data online (data scraping).

The original joint statement set out risks that data scraping poses to privacy, and how organisations (such as social media platforms) can help protect the personal data they hold from unauthorised scraping:

• Data protection laws apply even when data is publicly accessible.
• Online platform hosts should seek to protect publicly accessible data from unlawful data scraping.
• In many jurisdictions, harvesting on a mass scraping scale may amount to a data breach.
• Platforms should assist and empower their users to take steps to make use of the platform "in a privacy protective manner".

The subsequent consultation highlighted how generative AI not only enables data scraping on a larger scale, but can also be used as a tool for platforms to monitor and protect against unauthorised scraping.

The final joint statement reinforces and supplements the original statement to reflect the consultation and clarify what else is expected from online platforms:

• Regularly review and update safeguarding measures to "keep pace" with technological developments.
• Smaller online platforms can use a range of affordable tools to comply with their duties.
• Contracts authorising 3rd parties to scrape data should limit what information can be scraped and the purposes it can be scraped for (as permission from the platform alone does not make data scraping lawful).
• When providing large volumes of data to a scraper, use of an "Application Planning Interface" can help to provide data securely and identify unauthorised scraping.
• If a platform scrapes data from its own website to train an AI model, compliance with data protection and privacy laws remains essential.

A link to the statement can be found here.