Global privacy authorities issue follow-up joint statement on data scraping after industry engagement

We and several global counterparts are highlighting how social media companies can better protect personal information, as concerns grow about mass scraping of personal information within social media platforms, including to support artificial intelligence systems.

We and our counterparts from 16 other global data protection authorities engaged with some of the world's largest social media companies after issuing a joint statement on data scraping last year. As a result of this engagement, they have now issued a follow-up statement laying out additional takeaways for industry.

The joint statement that was issued last year outlines key privacy risks associated with data scraping - the automated extraction of data from the web, including social media platforms and other websites that host publicly accessible personal information. The follow-up joint statement provides additional guidance to help companies ensure that personal information of their users is protected from unlawful scraping.

Last year, data protection authorities called on industry to identify and implement controls to protect against, monitor for, and respond to data scraping activities on their platforms, including by taking steps to detect bots and block IP addresses when data scraping activity is identified, among other measures.

This follow-up joint statement lays out further expectations, including that organisations:

• Comply with privacy and data protection laws when using personal information, including from their own platforms, to develop artificial intelligence (AI) large language models;
• Deploy a combination of safeguarding measures and regularly review and update them to keep pace with advances in scraping techniques and technologies; and
• Ensure that permissible data scraping for commercial or socially beneficial purposes is done lawfully and in accordance with strict contractual terms.

After the first statement was signed by members of the Global Privacy Assembly's International Enforcement Working Group in 2023, it was sent to the parent companies of YouTube, TikTok, Instagram, Threads, Facebook, LinkedIn, Weibo, and X (the platform formerly known as Twitter).

This led to constructive dialogue between data protection authorities and several of these social media companies, as well as with the Mitigating Unauthorized Scraping Alliance, an organisation that aims to combat unauthorised data scraping.

The discussions between industry representatives and data protection authorities enabled all parties to further examine issues related to data scraping. This resulted in a deepened understanding by data protection authorities of the challenges that organisations face in protecting against unlawful scraping, including increasingly sophisticated scrapers, ever-evolving advances in scraping technology, and differentiating scrapers from authorised users.

Generally, social media companies indicated to data protection authorities that they have implemented many of the measures that were identified in the initial statement, as well as further measures that can form part of a dynamic multi-layered approach to better protecting against unlawful data scraping. Some of the additional measures that are presented in the follow-up joint statement include using platform design elements that make it harder to scrape data using automation, safeguards that leverage artificial intelligence, and lower cost solutions that small and medium-sized enterprises could use to meet their safeguarding obligations.

Further reading

• Concluding joint statement on data scraping and the protection of privacy
• Joint statement on data scraping and the protection of privacy