In October 2024 the International Enforcement Cooperation Working Group (IECWG) from the Global Privacy Agency (GPA) issued a Concluding Joint Statement on data scraping and the protection of privacy. It completes the Initial Joint Statement on data scraping and the protection of privacy published in August 2023. It contains three objectives: firstly, to outline the key privacy risks associated with data scraping; secondly, to set out how Social Media Companies (SMCs) and other organisations should protect individual personal information; and thirdly, to set out measures that individuals can take to protect their personal data. 

The Concluding Joint Statement is the outcome of engagement with SMCs and various stakeholders, such as the Mitigating Unauthorized Scraping Alliance (MUSA). It provides additional guidance to ensure the protection of personal data and privacy in relation to data scraping. The Statement focuses predominantly on private actors, including small and medium-sized enterprises. It also acknowledges both the negative and positive impacts of AI on data scraping and encourages stakeholders to leverage AI to protect personal data from unlawful scraping. The co-signatories emphasise that the statements only address the automated extraction of personal data from the web, and do not cover indexation or the scraping of non-personal information. 

The Concluding Joint Statement has been endorsed by the same twelve data protection authorities who issued the initial joint statement (Australia, Canada, United Kingdom, Hong Kong DPA, Switzerland, Norway, New Zealand, Colombia, Jersey, Morocco, Argentina, Mexico) along with four new ones (Guernsey, Monaco, Spain and Israel).  

The key takeaways from the two Joint Statements are as follows: 

1. Protection of personal information from unlawful data scraping
   
   • Publicly accessible personal data is subject to data protection and privacy laws in most jurisdictions.
   • SMCs and operators that host publicly accessible personal data have an obligation to protect personal data from unlawful scraping.
   • Mass data scraping can constitute reportable data breaches in many jurisdictions.
   • Individuals can take steps to protect their personal data, and companies should enable users to engage with them in a way that protects their privacy.
   • The responsibility and obligation to protect personal data against unlawful scraping also apply to large and Small and Medium Enterprises (SMEs).
   • SMEs can utilise cost-effective measures provided by third-party service providers to comply with their obligations. 
     
     
2. Permitted scraping, lawful scraping and access to data for research and socially beneficial purposes
   
   • Contractual terms cannot render scraping lawful; SMCs and other organisations must ensure there is a legal basis, maintain transparency and obtain consent when required by law.
   • Data protection requires a dynamic response; SMCs and other organisations should implement multilayered technical and procedural controls and safeguards that are regularly reviewed and updated. 
   • Providing access to data through an Application Programming Interface (API) allows greater control over the scraped data.
     
     
3. AI and data scraping
   
   • AI can serve to enhance protection against unlawful scraping. 
   • SMCs and other organisations that use data from their platforms, including scraped data, to train Large Language Models must comply with data protection and privacy laws, as well as AI specific laws or available guidelines and principles on the subject. 
     
     

The co-signatories highlight the importance of this issue in light of the latest developments in generative AI.

To stay informed, visit our website at AI-Regulation.com and follow us on LinkedIn, Twitter and Facebook.

S.P.