SEPTEMBER 01, 2023

Joint Statement of the Agency of Access to Public Information on illegal data scraping.

CIRCULARS

Data Privacy & Data Protection – Cybersecurity Department Report | Joint Statement of the Agency of Access to Public Information on illegal data scraping

Dear Sir or Madam,

On August 24th, 2023, a statement was published on the website of the Access to Information and Privacy Agency (“AAIP”), signed by Agency’s Director Beatriz de Anchorena, in conjunction with the heads of data protection agencies from Australia, Canada, the United Kingdom, Hong Kong, Switzerland, Norway, New Zealand, Colombia, Jersey, Morocco, and Mexico, regarding data scraping and the protection of privacy (the “Joint Statement”).

The purpose of the Joint Statement is to outline the main privacy risks associated with data scraping and to establish how social media companies and other websites should protect individuals’ personal information from illegal data scraping to meet regulatory expectations. This is particularly important as there has been an increase in incidents related to data scraping, including the use of extracted data for targeted cyberattacks, identity fraud, monitoring, profiling, unauthorized intelligence, or direct marketing.

The signatories of the Joint Statement explicitly urge social media companies and other websites that host publicly accessible data to share comments demonstrating how they comply with the expectations described in the Joint Statement within one month of its publication. It should be clarified that any response will be shared among the signatories and may be published.

The full text of the Statement was published on the AAIP website in English only, and the full text can be accessed by following this link: Joint Statement.

We summarize below the most relevant aspects:

The signatories emphasize that, in most jurisdictions, personally identifiable information that is “publicly available” on the Internet is subject to data protection and privacy laws. Therefore, individuals and companies that extract such personal information are responsible for ensuring compliance with these and other applicable laws and for fulfilling relevant obligations regarding data scraping from third-party sites to their own sites.

While the Joint Statement expressly acknowledges that no security measure will be adequate to fully protect against all potential privacy harms associated with data scraping due to the dynamic nature of data scraping threats, it indicates that social media companies and other websites should implement multi-layered technical and procedural controls, or combinations thereof, to mitigate risks. Examples of these controls include:

• Designating a team and/or specific roles within the organization to identify and implement controls to protect against, monitor, and respond to data scraping activities.

• Limiting the number of visits per hour or day by one account to profiles of other accounts and restricting access if unusual activity is detected.

• Monitoring how quickly and aggressively a new account begins searching for other users. Abnormally high activity may indicate unacceptable usage.

• Taking measures to detect data scrapers by identifying patterns in “bot” activity, such as the use of CAPTCHAs and blocking IP addresses where data scraping activity is identified.

• Taking legal action, such as cease and desist requests, for the removal of extracted information.

• In jurisdictions where data extraction may constitute a security incident, notifying affected data subjects and the relevant authority.

• Proactively supporting users so they can make informed decisions about how they use the platform, what personal information they share, and increasing awareness and understanding of privacy settings.

The Joint Statement also mentions that, given the dynamic nature of data scraping threats, social media companies and other websites should continuously monitor for, and respond with agility to, new security risks and threats from malicious or other unauthorized actors to their platform.

Likewise, the Joint Statement also refers to the measures individuals can take to minimize risks arising from data scraping, such as recommending (i) reading the privacy policies of websites regarding information sharing and disclosure to make informed decisions about the information they choose to share and understand the resulting privacy risks, (ii) evaluating the quantity and type of information they share and considering whether sharing certain information may put them at risk of reputation damage, discrimination, harassment, identity fraud, or theft, and (iii) understanding and managing privacy settings.

If you have any questions or need further clarification, please feel free to contact us.

Sincerely,

Emilio Beccar Varela
Florencia Rosati