On August 24, 2023, 12 data protection authorities published a joint statement calling for the protection of personal data from unlawful data scraping. The statement was issued by the authorities of Argentina, Australia, Canada, Colombia, Hong Kong, Jersey, Mexico, Morocco, New Zealand, Norway, Switzerland and the UK. The joint statement reminds organizations that personal data that is publicly accessible is still subject to data protection and privacy laws in most jurisdictions, and highlights the risks facing such data, including increased risk of social engineering or phishing attacks, identify fraud, and unwanted direct marketing or spam.
The statement sets expectations for how social media companies and other website operators that host publicly accessible data should protect such data from unlawful data scraping. It recommends the use of multi-layered technical and procedural controls to mitigate risks, such as “rate limiting” the number of visits per hour or day by one account, and then limiting access if unusual activity is identified, and taking steps to detect scrapers by identifying patterns in “bot” activity. The statement also recommends steps that individuals can take to minimize risks when sharing information online, such as reading the information provided by the social media company or other website about how it shares personal data, being considerate of the amount and kinds of data the individual is sharing, and understanding and managing privacy settings.
The authorities invite relevant organizations to respond to the statement and demonstrate how they comply with the expectations outlined in the statement.