The Information Commissioner’s Office (ICO) together with 11 other privacy regulators have recently published a joint statement on data scraping and the protection of privacy.

It is a common misconception that personal data that is publicly available is not subject to data protection laws, ­but this joint statement clarifies that this is not the case and shows the intention of privacy regulators from different jurisdictions to work together.

Data scraping technologies typically involve the automated extraction of data from the internet, often from social media sites and other publicly accessible data. Use of this type of personal data can then be exploited in a number of ways, including by nefarious actors for the purposes of identify fraud. The cross-jurisdictional availability of personal data only increases this risk and data could also be used by foreign governments and intelligence agencies for unauthorised purposes. The rapid evolution of artificial intelligence (AI) and machine leaning is only likely to increase the potential uses and risks of data scraping, therefore this joint statement is timely.

The joint statement is clear that social media companies should take steps and implement controls to prevent data scraping. Examples include designating a team/roles to identify data scraping activities (consistent with the GDPR principal of accountability) and monitor new accounts for abnormal activity.

Signatories to the joint statement include the Office of the Australian Information Commissioner and the Office of the Privacy Commissioner for Personal Data – Hong Kong, China.