Date: 25 August 2023
Data Scraping on Social Media Raises Concerns
The PCPD, together with Other Privacy Protection Authorities,
Promulgates Global Privacy Protection Expectations and Principles
to Social Media Platforms
The Office of the Privacy Commissioner for Personal Data (PCPD), together with eleven privacy or data protection authorities from Argentina, Australia, Canada, Colombia, Jersey, Mexico, Morocco, New Zealand, Norway, Switzerland and the United Kingdom, issued a joint statement today to social media platforms and other websites that host publicly accessible personal data about global expectations on privacy protection.
The Privacy Commissioner for Personal Data, Ms Ada CHUNG Lai-ling, said, “In recent years, there has been increased reports of mass data scraping from online platforms, particularly social media platforms, which are linked to the commission of data fraud and other crimes. As the co-chairman of the Global Privacy Assembly (GPA)’s International Enforcement Cooperation Working Group (IEWG), the PCPD joined hands with its international counterparts and promulgated global expectations and principles on privacy protection, with a view to highlighting the key privacy risks associated with data scraping, and reminding social media platforms and other websites of their responsibilities to protect personal data from unlawful data scraping.”
Data scraping, which generally involves extraction of data (including personal data) from the web by automated processes, raises significant privacy concerns. It can result in personal data being sold in the dark web without the knowledge and consent of the data subject, leading to exploitation of personal data for targeted cyberattacks, identity fraud, and unwanted direct marketing or spam messages.
In the joint statement, the signatories point out that:
Personal information that is publicly accessible is still subject to data protection and privacy laws in most jurisdictions;
Social media companies and the operators of websites that host publicly accessible personal data have obligations under data protection and privacy laws to protect personal information on their platforms from unlawful data scraping; and
Mass data scraping incidents that harvest personal information can constitute reportable data breaches in many jurisdictions.
The signatories recommend that these social media platforms and websites should also implement multi-layered technical and procedural controls to mitigate the privacy risks of data scraping, which include, among others:
Designating a team and/or specific roles to identify and implement controls to protect against data scraping activities;
Taking steps to review automated scraping programmes and data scraping and take actions to stop such activities;
Monitoring accounts with unusually high engagement with other accounts so as to block suspicious accounts; and
Continuously monitoring security risks and threats from malicious or other unauthorised actors to their platforms.
In addition, the signatories remind users, before sharing their personal data online, to beware of the risk that their personal data could be within the reach of potential scrapers who could use it for harmful purposes. Users are also advised on the measures they can take to mitigate the risk of data leakage.
The joint statement is signed by twelve authorities brought together through the GPA IEWG. In addition to the PCPD, other signatories include the Agency for Access to Public Information of Argentina, the Office of the Australian Information Commissioner, the Office of the Privacy Commissioner of Canada, the Superintendencia de Industria y Comercio of Colombia, the Jersey Office of the Information Commissioner, National Institute for Transparency, Access to Information and Personal Data Protection of Mexico, the CNDP (Commission Nationale de contrôle de la protection des Données à caractère Personnel) of Morocco, the Office of the Privacy Commissioner of New Zealand, the Datatilsynet of Norway, the Federal Data Protection and Information Commissioner of Switzerland and the Information Commissioner’s Office of the United Kingdom.
The joint statement has been sent to various companies running major social media platforms, including Alphabet Inc. (YouTube), Meta Platforms, Inc. (Instagram, Facebook and Threads) and Microsoft Corporation (LinkedIn), etc. The signatories look forward to receiving feedback from the companies within one month about how they currently comply, or intend to comply, with the expectations and principles detailed in the joint statement.
The joint statement can be downloaded here
The GPA is a global forum for data protection and privacy authorities which seeks to provide leadership at international level in the protection of data and privacy. The IEWG, as a working group under the GPA, advocates cross-jurisdictional cooperation among data protection authorities and helps drive cross-jurisdictional enforcement collaboration. The PCPD has been the co-chairman of the IEWG since October 2021 in order to play a more important and strategic role in international enforcement initiatives and priorities.