Office Of The Privacy Commissioner Of Canada Issues Joint Statement On Data Scraping And Protection Of Privacy

On August 24, 2023, the Office of the Privacy Commissioner of Canada issued a joint statement on data scraping and the protection of privacy (the Joint Statement).

The Joint Statement describes data scraping as technologies that can automatically extract data from the web and collect and process vast amounts of individuals’ personal information.

The Joint Statement outlines several privacy concerns involving the use of scraped data (even where the information being scraped is publicly accessible), such as: targeted cyber attacks; identity fraud; monitoring, profiling, and surveilling individuals; unauthorised political or intelligence gathering; and unwanted direct marketing or spam.

Moreover, the Joint Statement provides that social media companies (SMCs) and other websites are responsible for protecting individuals’ personal information from unlawful data scraping and should implement multi-layered technical and procedural controls proportionate to the sensitivity of the information.  Examples of security controls and best practices for SMCs and other websites include:

• “Rate limiting” the number of visits per hour or day by one account to other account profiles, and limiting access if unusual activity is detected;
• Taking steps to detect scrapers by identifying patterns in “bot” activity;
• Taking appropriate legal action where data scraping is suspected and/or confirmed;
• Informing users of the steps that have been taken to protect against data scraping; and
• Collecting and analyzing metrics on scraping incidents to inform and identify areas of improvement in their security control framework.

In addition, the Joint Statement sets out several measures that individuals can take to minimize privacy risks from data scraping, such as reading the SMC’s privacy policy and other information provided relating to how they share personal information, and managing privacy settings to limit the information being made publicly accessible.

The Joint Statement has been endorsed by various privacy offices around the world, such as Argentina, Australia, Hong Kong, Colombia, Jersey, Mexico, Morocco, New Zealand, Norway, Switzerland, and the United Kingdom.

Summary By: Steffi Tran