Guernsey joins global partners to combat unlawful data scraping

Published: 28 October 2024

Guernsey’s Office of the Data Protection Authority (ODPA) has played an active role in international efforts to prevent publicly accessible personal data from being harvested in violation of data protection and privacy laws.

Working alongside global partners, the ODPA has highlighted how social media companies and other enterprises can best protect personal information, as concerns grow about mass scraping, including to support artificial intelligence systems.

“The unauthorised scraping of data presents a significant global risk to the privacy rights of individuals around the world” said Bailiwick Data Protection Commissioner Brent Homan. “Through this joint action, we have engaged positively with industry towards setting clear expectations and elevating security safeguards”.

The ODPA and 15 other global data protection authorities have been working with some of the world’s largest social media companies after the release of a joint statement on data scraping last year.

In it, data protection authorities called on industry to identify and implement controls to protect against, monitor for, and respond to, data scraping activities on their platforms.

The statement also outlined key privacy risks associated with data scraping - the automated extraction of data from the web, including social media platforms and other websites that host publicly accessible personal information.

This led to constructive dialogue between data protection authorities and several of these social media companies, as well as with the Mitigating Unauthorized Scraping Alliance (MUSA), an organisation that aims to combat unauthorised data scraping.

As a result of this engagement, a follow-up concluding statement has been published with additional guidance to help companies protect users’ personal data from unlawful scraping. Organisations should:
  • Comply with privacy and data protection laws when using personal information, including from their own platforms, to develop artificial intelligence (AI) large language models;
  • Deploy a combination of safeguarding measures and regularly review and update them to keep pace with advances in scraping techniques and technologies; and
  • Ensure that permissible data scraping for commercial or socially beneficial purposes is done lawfully and in accordance with strict contractual terms.
Generally, social media companies indicated to the signatory authorities that they have implemented many of the measures that were identified in the initial statement, as well as further measures that can form part of a dynamic multi-layered approach to better protecting against unlawful data scraping.

Some of the additional measures that are presented in the follow-up joint statement include using platform design elements that make it harder to scrape data using automation, safeguards that leverage artificial intelligence, and lower cost solutions that small and medium-sized enterprises could use to meet their safeguarding obligations.

Background information:

The enforcement exercise to protect people’s information from illegal data scraping practices was initiated by the Global Privacy Assembly’s (GPA) International Enforcement Cooperation Working Group, of which the ODPA is now a co-chair, together with data protection and privacy authorities from Colombia, Canada, Norway and Hong Kong.

After the first statement was signed by members of the GPA's International Enforcement Working Group in 2023, it was sent to the parent companies of YouTube, TikTok, Instagram, Threads, Facebook, LinkedIn, Weibo, and X (the platform formerly known as Twitter).

The GPA is a global forum of over 130 data protection and privacy authorities which provides leadership at international level. Its annual conference is currently being held in Jersey from 28 October until 1 November, hosted by the Jersey Office of the Information Commissioner.

Concluding Joint Statement signatories:
  • Office of the Australian Information Commissioner
  • Office of the Privacy Commissioner of Canada
  • United Kingdom Information Commissioner’s Office
  • Office of the Privacy Commissioner for Personal Data Hong Kong
  • Federal Data Protection and Information Commissioner Switzerland
  • Datatilsynet Norway
  • Office of the Privacy Commissioner New Zealand
  • Protection of Personal Data Superintendencia de Industria y Comercio Colombia
  • Jersey Office of the Information Commissioner
  • CNDP (Commission Nationale de contrôle de la protection des Données à caractère Personnel) Morocco
  • AAIP (Agency for Access to Public Information) Argentina
  • INAI (National Institute for Transparency, Access to Information and Personal Data Protection) Mexico
  • Bailiwick of Guernsey Office of the Data Protection Authority
  • AEPD (Agencia Española de Protección de Datos) Spain
  • CCIN (Commission de Contrôle des Informations Nominatives) Monaco
  • Privacy Protection Authority Israel