The ICO has joined privacy authorities across the world in issuing a statement about data scraping by social media companies and what is expected of organisations to ensure that individuals are protected from the risks resulting from unlawful scraping.

The statement follows the initial ‘Joint Statement on Data Scraping and the Protection of Privacy’ which was published last year (and can be found here) and contained the following four ‘key takeaways’:

• Personal information that is publicly accessible is still subject to data protection and privacy laws in most jurisdictions;
• Social media companies and the operators of websites that host publicly accessible personal data have obligations under data protection and privacy laws to protect personal information on their platforms from unlawful data scraping;
• Mass data scraping incidents that harvest personal information can constitute reportable data breaches in many jurisdictions; and
• Individuals can also take steps to protect their personal information from data scraping, and social media companies have a role to play in enabling users to engage with their services in a privacy protective manner.

After the publication of the initial statement, privacy authorities engaged with various social media organisations to understand the steps that they were taking – and the challenges they faced – to protect publicly accessible data on their platforms from unlawful scraping. This engagement has led to the publication of the latest joint statement, which includes additional expectations of these companies.

In particular, the Joint Statement emphasises that it is expected that “all companies, not just social media companies, protect the publicly accessible personal information that they host against unlawful scraping. Failure to implement adequate safeguards in compliance with applicable laws could result in regulatory intervention, including enforcement action”. It recognises that some SMEs might not have the same resources as major social media companies, but makes clear that this does not absolve them of their responsibility to protect against unlawful scraping, pointing to a variety of tools that are available (such as bot detection, rate limiting and CAPTCHAs) which “can be accessible to SMEs on a more modest budget”.

The Joint Statement also makes specific reference to the training of AI models, noting that the subject of unlawful data scraping has received so much more attention since the advent of generative AI systems. It reminds those engaged in data scraping in order to train AI models that they must “implement measures to ensure that their data practices comply with data protection and privacy laws”. It also points to the need to ensure that where data scraping may be permissible for “research and or other potentially socially beneficial purposes”, organisations must again ensure that they are complying with applicable data protection and privacy laws, noting that not all jurisdictions provide for “public interest, research or statistical purposes” as exceptions to the requirement for consent or as a lawful basis for the processing of personal data.

As for how to demonstrate compliance with data protection and privacy laws, the Joint Statement reiterates that “contractual terms cannot in and of themselves render data scraping lawful”. Instead, it states that organisations must ensure that: (a) they have a lawful basis for granting access to or permitting the collection of personal data; (b) that they are transparent about the scraping they allow; and (c) that they obtain consent where required by law. Furthermore, it reinforces that “organizations should implement adequate measures to ensure that contractually-allowed use of scraped personal data is compliant with applicable data protection and privacy laws. The contract could, for example, specify limitations on the information that may be scraped and the purposes for which it may be used, as well as the consequences for non-compliance with those terms. However, organizations cannot simply rely on contractual measures. They should also implement measures to monitor third parties’ compliance with contractual limitations, and to enforce compliance when those terms are not respected”.

Finally, the Joint Statement makes clear that data protection authorities expect that  organisations regularly review and update safeguarding measures to keep up with technological developments.

To read the Joint Statement in full, click here.