Online platforms under greater scrutiny to address unlawful data scraping

Joint statement by international privacy regulators on unlawful data scraping and data protection

The Office of the Australian Information Commissioner (OAIC) and eleven other data protection and privacy regulators issued a joint statement that operators of platforms (especially social media platforms) and other publicly accessible sites have obligations to protect publicly available personal information from unlawful data scraping, and that data scraping incidents can constitute notifiable data breaches.

Key takeaways

• Personal information that is publicly accessible is subject to data protection laws in most jurisdictions including Australia.
• Operators of websites and platforms that host publicly accessible personal information (including those subject to paywalls or other access restrictions) have obligations to safeguard personal information on their websites and platforms against unlawful data scraping.
• Data scraping incidents can constitute a notifiable data breach in many jurisdictions including Australia.
• These operators have a responsibility in enabling individuals to engage with their online services in a privacy protective manner.
• In addition, the publication of  personal information on platforms and websites, where facilitated by third party users without securing appropriate rights to do so, may create risks for operators.
• Access to bulk personal information for AI training may become harder, leading to a shift to requiring the use of synthetic data for training or the growth of more bulk datasets which can lawfully be handled for AI training purposes.
• The OAIC and overseas regulators are suggesting platforms and websites should ensure they use multi-layered technical and procedural controls to mitigate against the risks of unlawful data scraping. 

Why it matters

This is a significant shift in regulatory focus from clamping down on those that unlawfully collect personal information through scraping (such as Clearview AI, Inc) to placing greater regulatory scrutiny on the obligations of operators of online sites and platforms (particularly those with significant or sensitive datasets) that host publicly accessible personal information to protect personal information hosted on their websites or platforms from unlawful data scraping.

The joint statement is targeted not only at social media sites but also any other operators of websites and platforms that host publicly accessible information such as operators of online forums and sites where paid subscribers can through their subscription access personal information of individuals posted on the service platform.

Where the publicly available personal information that was the subject of unlawful data scraping contains sensitive personal information (such as health information or biometric information) or government identifiers (such as passport numbers or medicare numbers), there is a higher risk of harm to individuals resulting from the misuse and interference of such personal information which in turn is more likely to result in the scraping constituting a notifiable data breach under Australia's Privacy Act 1988 (Cth) (Privacy Act).

Under the Privacy Act, the OAIC can undertake an investigation whether there has been an interference with an individual's privacy and make a determination accordingly.  Enforcement steps by the OAIC may include obtaining enforceable undertakings, legal proceedings to seek the imposition of civil penalties and the payment of compensation to affected individuals. The OAIC and third parties may also seek injunctions to restrain breaches of the Privacy Act.  

What you need to do 

Operators of platforms and websites that host publicly accessible personal information should:

• Review their privacy collection and handling practices in respect of personal information that they make publicly available on their platforms and websites;
• Review their terms of use with users and subscribers to ensure appropriate terms reflective of their collection and handling of personal information are included;
• Review their privacy policies and collection notices to ensure that individuals are fully aware of relevant information handling practices and to ensure that any consents are informed; and
• Implement multi-layered technical and procedural controls to:
1. ensure inappropriate personal information (such as information not solicited or which includes sensitive or strictly regulated personal information) is not published; and
2. protect individuals' personal information from unlawful data scraping.

Authors: Tim Brookes, Partner; Kendrick Deng, Lawyer; and Andrew Hilton, Expertise Counsel.