The ICO exists to empower you through information.

Joint statement on data scraping and data protection

Share
Date
24 August 2023
Type
News

The Information Commissioner’s Office and eleven other data protection and privacy authorities from around the world have today published a joint statement calling for the protection of people’s personal data from unlawful data scraping taking place on social media sites.

Data scraping is an automated way to pull large amounts of information from the web. Scraping from social media creates privacy risks and potential harms, such as the information people post online being used for reasons they don’t expect, exploited in cyberattacks or used for identity fraud.

The joint statement published today sets expectations for how social media companies should protect people’s data from unlawful data scraping. It also recommends steps people can take to minimise risks when sharing information online.

“This joint statement helps provide certainty, and consistency across borders, in how data protection applies to information people post online. Organisations must have a lawful reason for collecting and using people’s data, even when it is publicly available.

“Social media companies have obligations under UK data protection law to protect the information people post on their platforms.

“We are seeing increased reports of mass data scraping from social media and remind organisations that such incidents may require reporting to the ICO as a personal data breach.”

- Stephen Bonner, ICO Deputy Commissioner for Regulatory Supervision

The joint statement is signed by twelve authorities brought together by the Global Privacy Assembly. Social media companies are invited to respond and demonstrate how they protect people from unlawful scraping.

The signatories of the joint statement are:

  • Office of the Australian Information Commissioner
  • Office of the Privacy Commissioner of Canada
  • Information Commissioner’s Office – United Kingdom
  • Office of the Privacy Commissioner for Personal Data – Hong Kong, China
  • Federal Data Protection and Information Commissioner – Switzerland
  • Datatilsynet – Norway
  • Office of the Privacy Commissioner – New Zealand
  • Superintendencia de Industria y Comercio – Columbia
  • Jersey Office of the Information Commissioner
  • CNDP (Commission Nationale de contrôle de la protection des Données à caractère Personnel) - Morocco
  • AAIP (Agency for Access to Public Information) - Argentina
  • INAI (National Institute for Transparency, Access to Information and Personal Data Protection) - Mexico