- Nine data protection authorities publish a joint statement on automated data scraping and address large technology companies as suspects.
- Publicly accessible data is also subject to data protection obligations for data collectors and publishers; Swiss law emphasizes limited exemption.
- Scraped data harbors risks such as identity theft, surveillance through aggregation, facilitated facial recognition as well as abusive access by authorities and spam.
- Operators should take technical and organizational protective measures; private individuals protect themselves through data protection notices and cautious sharing.
An eclectic group of nine data protection authorities – the FDPIC and authorities from Australia, Canada, UK, Hong Kong, Norway, New Zealand, Colombia, Jersey, Morocco, Argentina and Mexico – have developed a joint statement on data scraping published, i.e. for the automated extraction of data from websites. This is happening increasingly often, and the suspects are Alphabet (for YouTube), ByteDance (for TikTok), Meta (for Instagram, Facebook and Threads), Microsoft (for LinkedIn), Sina (for Weibo) and X Corp. (for Twitter, or now “X”), who were served with the statement.
The statement is accordingly generic. In essence, it says that both the company that obtains data from the Internet and the one that publishes it, data protection obligations have, even if the data are factually public. Under Swiss law, this is true insofar as the exemption for processing public data is of limited scope and often overestimated.
In doing so, the authorities make certain Risks from. Scraped data – a German term is arguably lacking – can be used for attacks and identity theft, and aggregating them creates the risk of surveillance – e.g., facilitated facial recognition – and access by authorities interested in such data pools, including for political or intelligence purposes. Spam is also a risk, he said.
Anyone who publishes data should therefore protect themselves from scraping. protectThis may include technical restrictions on frequent or suspected access, authorization measures such as captchas, and organizational measures such as warnings against scrapers. If the applicable law covers scraping as a security breach – which under the DPA requires that security measures have been taken – notification may be required.
Private individuals can also protect themselves, for example by reading the privacy statements of website operators (another reason to read privacy statements!), and above all by sharing less.