ICO and global privacy regulators call on social media giants to fight ‘unlawful data scraping’

The UK’s privacy watchdog (ICO) alongside 11 data protection and privacy agencies from across the globe released a joint statement last week calling for social media giants to increase the protection of users’ personal data from “unlawful data scraping.”

Data scraping is an efficient and mostly automatic extraction of large amounts of publicly available information from online platforms, including social media platforms where individuals share personal data.

This data, often combined with information sourced from elsewhere, helps create comprehensive user profiles that can lead to many privacy risks for individuals, including targeted attacks and identity crimes.

“Scraping from social media creates privacy risks and potential harms, such as the information people post online being used for reasons they don’t expect, exploited in cyberattacks or used for identity fraud,” the UK Information Commissioner's Office said.

The joint statement emphasized that, although user data is publicly available on social media websites, it still is subject to data protection and privacy laws, and social platforms are obliged to protect individuals by enforcing anti-scraping measures.

“This joint statement helps provide certainty, and consistency across borders, in how data protection applies to information people post online,” the 12 privacy authorities said. “Organisations must have a lawful reason for collecting and using people’s data, even when it is publicly available.”

Here are some of the measures proposed to social media giants, according to the data protection authorities:

· Implementing technical and procedural controls to mitigate risks

· Designating specialized teams that can handle and monitor scraping

· Limiting the number of visits per hour or day made by one account to other account profiles

· Taking steps to detect data scrapers and bot behaviors and blocking IP addresses where this scraping activity has been identified

· Taking legal actions against confirmed data scrapers, including sending 'cease and desist' letters

· Notifying users and privacy regulators of data breaches in jurisdictions where these incidents may constitute a data breach

The entire list can be read here.

The data regulatory bodies also urge individuals to take steps to help minimize their privacy risks against scraping incidents by:

· Closely inspecting the privacy policies of the social media platforms they use

· Maximizing the privacy settings to decrease their public exposure

· Limiting the amount of personal information they share online

"Ultimately, we encourage individuals to think long term. How would a person feel years later, about the information that they share today?" the privacy watchdogs warned.  "While SMCs and other websites may offer tools to delete or hide information, that same information can live forever on the Web if it has been indexed or scraped, and onward shared."

The data protection authorities who cosigned the statement are in the UK, Australia, New Zealand, Canada, Mexico, Hong Kong/China, Switzerland, Norway, New Zealand, Morocco, Argentina and Columbia.

Check if your personal info has been stolen in a data breach or made public on the internet with Bitdefender’s Digital Identity Protection tool.