Joint statement on data scraping and data protection | ICO

Joint statement on data scraping and data protection
Share(Opens Share panel)
Date
24 August 2023
Type
News
The Information Commissioner’s Office and eleven other data protection and privacy authorities from around the world have today published a joint statement calling for the protection of people’s personal data from unlawful data scraping taking place on social media sites.

Data scraping is an automated way to pull large amounts of information from the web. Scraping from social media creates privacy risks and potential harms, such as the information people post online being used for reasons they don’t expect, exploited in cyberattacks or used for identity fraud.

The joint statement published today sets expectations for how social media companies should protect people’s data from unlawful data scraping. It also recommends steps people can take to minimise risks when sharing information online.

“This joint statement helps provide certainty, and consistency across borders, in how data protection applies to information people post online. Organisations must have a lawful reason for collecting and using people’s data, even when it is publicly available.

“Social media companies have obligations under UK data protection law to protect the information people post on their platforms.

“We are seeing increased reports of mass data scraping from social media and remind organisations that such incidents may require reporting to the ICO as a personal data breach.”

- Stephen Bonner, ICO Deputy Commissioner for Regulatory Supervision

The joint statement is signed by twelve authorities brought together by the Global Privacy Assembly. Social media companies are invited to respond and demonstrate how they protect people from unlawful scraping.

The signatories of the joint statement are:

Office of the Australian Information Commissioner
Office of the Privacy Commissioner of Canada
Information Commissioner’s Office – United Kingdom
Office of the Privacy Commissioner for Personal Data – Hong Kong, China
Federal Data Protection and Information Commissioner – Switzerland
Datatilsynet – Norway
Office of the Privacy Commissioner – New Zealand
Superintendencia de Industria y Comercio – Columbia
Jersey Office of the Information Commissioner
CNDP (Commission Nationale de contrôle de la protection des Données à caractère Personnel) - Morocco
AAIP (Agency for Access to Public Information) - Argentina
INAI (National Institute for Transparency, Access to Information and Personal Data Protection) - Mexico