UK ICO publishes joint statement on data scraping and the protection of privacy

The question

What are the key privacy risks that the UK Information Commissioner’s Office (ICO) expects organisations to consider when hosting publicly accessible personal data and how can those privacy risks be mitigated?

The key takeaway

The joint statement is an invaluable blueprint on the steps that social media companies and other websites should take to protect the publicly available personal data which they host.

The background

On 24 August 2023, the ICO, along with eleven other national data protection authorities, published a “Joint Statement on Data Scraping and the Protection of Privacy”. The joint statement sets out a series of recommendations outlining how social media companies (SMCs), and operators of websites hosting publicly accessible personal data (other websites), can ensure that they adequately protect personal data in accordance with their obligations under data protection laws. The joint statement encourages SMCs, within 1 month of the statement’s issuance (24 September 2023), to provide feedback on it to their national data protection authority. Where SMCs and other websites do decide to provide such feedback on the joint statement, they are also encouraged to demonstrate their compliance with the expectations outlined therein.

Given this call for feedback, it appears that the recommendations contained within the joint statement are intended to form the basis of a guidance note which SMCs, and other websites, should follow.

The development

In the joint statement, it is confirmed that, while individuals and organisations which scrape publicly accessible personal data are responsible for ensuring that they comply with data protection laws, SMCs and other websites also have data protection obligations with respect to third-party scraping from their publicly accessible websites.

The joint statement also provides that scraped personal data can be exploited for numerous purposes. It follows that SMCs and other websites must carefully consider the legality of different types of data scraping in their jurisdictions so that they can implement measures to protect against data scraping which is unlawful.

Below is a summary of the key privacy concerns raised in the joint statement and the national data protection authorities’ recommendations for how they may be mitigated:

Key privacy concerns

The joint statement stresses that many national data protection authorities are seeing increased reports of mass data scraping from SMCs and other websites. These reports have raised concerns with respect to how this personal data is being used. The key privacy concerns identified by the national data protection authorities in relation to mass data scraping are:

• targeted cyberattacks – where scraped identity and contact information is posted on hacking forums so that it can be used by malicious actors in social engineering or phishing attacks
• identity fraud – where scraped personal data is used to submit fraudulent loan or credit card applications, or to impersonate an individual by creating fake social media accounts
• monitoring, profiling and surveilling individuals – where scraped personal data is used to populate facial recognition databases and provide unauthorised access to authorities
• unauthorised political or intelligence gathering purposes – where scraped personal data is used by foreign Governments or intelligence agencies for unauthorised purposes.
• unwanted direct marketing or spam – where scraped personal data, including contact information, is used to send bulk unsolicited marketing messages.

In addition to the above, the joint statement also provides that where data scraping leads to a loss of control by an individual over their personal data, either without their knowledge or which causes the personal data to be used in a way in which that individual would not expect, this is of particular concern as it undermines the trust which individuals have in SMCs and other websites, and has the potential to have a detrimental impact on the digital economy.

Steps SMCs and other websites should take to combat unlawful data scraping

The joint statement emphasises that because techniques for data scraping and extracting value from publicly accessible personal data are constantly evolving, SMCs and other websites need to take a dynamic approach to data security. To demonstrate this, the joint statement provides that SMCs and other websites should implement proportionate multi-layered technical and procedural controls aimed at mitigating the privacy concerns listed above, namely:

• designate a team – assign specific roles to assist in the identification and implementation of controls to protect against, monitor for, and respond to, data scraping activities
• rate limiting – consider capping the number of visits which one account can make to another account per hour or per day, thereby limiting access where unusual activity is detected
• monitoring – track how quickly and aggressively a new account searches for other users. If abnormally high activity is detected, this could be an indicator of unacceptable usage
• identify patterns – take steps to detect data scraping by identifying patterns which are specific to “bot” activity
• block “bots” – make use of CAPTCHAs and block IP addresses where data scraping activity is identified
• legal action – where data scraping is suspected or confirmed, take legal action to stop it or enforce terms and conditions which prohibit it eg by requiring the deletion of scraped personal data
• notification – where the data scraping constitutes a data breach, notify affected individuals and supervisory authorities where required under data protection laws.

The joint statement also provides that SMCs and other websites should inform their users about the steps they have taken to protect against unlawful data scraping and enable their users to engage with their platforms in a manner which protects user privacy. This can be achieved by actions such as assisting users to make informed decisions about the sharing of their personal data, or raising awareness about the privacy settings which are available to them.

In addition, SMCs and other websites are encouraged to routinely stress-test their procedural controls to ensure they remain effective and analyse any data scraping incidents, to identify areas in need of improvement.

Steps users can take to combat unlawful data scraping

The joint statement sets out the steps which users can take to empower themselves to better
protect their personal data. The steps outlined are:

• review – read the information provided by SMCs or other websites about how they share users’ personal data (eg the privacy policy)
• limit sharing – consider limiting the amount of personal data, particularly sensitive personal data, which is posted online
• manage privacy settings – use privacy settings to control the personal data which is shared and limit the personal data which can be made publicly accessible
• consequences – be aware that despite the tools which SMCs and other websites use to delete or hide personal data, it can live forever on a website if it has been indexed, scraped, and onward shared.

In addition, the joint statement provides that where users are concerned that their personal data may have been unlawfully scraped, they can contact the SMC or other website, and if dissatisfied with the response, file a complaint with their national data protection authority.

Why is this important?

The joint statement is another demonstration by the ICO of its commitment (under its ICO25 strategic plan) to safeguarding vulnerable persons while addressing recent global industry concerns on the utilisation of generative AI technology (such as those which arose during the Clearview AI investigation – see our Autumn 2022 Snapshot).

While the joint statement recognises that there are steps which individual users can take to combat the risk of unlawful data scraping, many of the obligations outlined in the joint statement remain with SMCs and other websites. Even though the joint statement requires SMCs and other websites to implement multi-layered technical and procedural controls, it also clearly sets out the key privacy concerns of several national data protection authorities. This presents an opportunity for SMCs and other websites to effectively address and mitigate those concerns and reduce the risk that their platform, website or service will become the subject of unlawful data scraping, and by extension, regulatory enforcement action.

Any practical tips?

The expectations in this joint statement set out key areas for SMCs and other websites to focus on with a view to ensuring that they protect the personal data which is publicly accessible on their platforms, websites, or services from unlawful data scraping.

By clearly setting out their expectations, national data protection authorities have provided SMCs and other websites with an invaluable future-proofing tool which they can use to ensure that they remain compliant with data protection laws. As such, when reviewing any internally or externally facing policies, plans, and Wikis, these organisations should review them in conjunction with the concerns raised, and the mitigation steps outlined, by the national data protection authorities in the joint statement.

Given the importance of trust in the regulatory as well as user relationship, SMCs and other websites may well want to consider providing feedback to the ICO on the joint statement to set out clearly how they comply with the expectations outlined therein.

Autumn 2023