On August 24, 2023, the Office of the Privacy Commissioner of Canada, in conjunction with 11 other global privacy authorities (“Regulators”), issued a joint statement (the “Joint Statement”) regarding privacy protection and data scraping.
This blog post will provide an overview of data breaches and data scraping and explain the potential consequences of such privacy breaches. It will also outline the key points from the Regulators’ joint statement and highlight the proactive steps businesses can take and potential risks to watch for.
What Is Data Scraping?
Data scraping is an automated technique that occurs when a computer program or application is used to extract, or “scrape,” valuable information from a website’s database or other web source. This data extraction can gather information such as text, images, prices, product details, contact information, and any other publicly available data on the internet.
The individual or company that data scrapes a website often collects and uses the information for a different purpose. Historically, extracted personal data from online databases have been used for unlawful purposes, including:
- Identity fraud;
- Sale to malicious actors; and
- Private analysis or intelligence gathering.
Companies are generally prohibited from scraping personal information from websites, as it can potentially infringe upon privacy rights and terms of service agreements of websites and can result in legal consequences.
Data Scraping Legislation & Navigating Privacy Breaches by Artificial Intelligence
Like other countries, Canada has laws and regulations that govern data privacy and protection, which may impact the legality of data scraping activities. A key piece of federal privacy legislation is the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which outlines rules for collecting, using, and disclosing personal information.
Personal information and privacy are often initial considerations for those uploading information online. However, in recent years, data scraping has come into consideration with the emergence and popularity of Artificial Intelligence (“AI”) systems that are trained on the publicly accessible information available on the internet. Several class actions have commenced against large entities, such as Google and ChatGPT, concerning privacy breaches in the United States of America.
Global Privacy Regulators’ Joint Statement
In the recent joint statement made on August 24, 2023, the Regulators assert that social media companies and other website operators “are responsible for protecting individuals’ personal information from unlawful data scraping.” Since the techniques for data scraping continue to evolve and emerge with technology and no single safeguard can protect against “all potential privacy harms associated with data scraping,” it is imperative that data security and vigilance are paramount.
Multi-Layered Controls Used to Mitigate Risk
The Joint Statement went on to note that social media companies and website operators should implement multi-layered technical and procedural controls to mitigate potential privacy breach risks, such as:
- “Rate limiting” the number of visits per hour or day by one account and limiting access if unusual activity is detected;
- Taking steps to identify patterns in “bot” activity and detect “bots” by using “CATCHAs” and blocking IP addresses where data scraping activity is identified;
- Notifying affected individuals and privacy regulators in jurisdictions where data scraping may constitute a data breach; and
- Taking appropriate legal action when data scraping activity is suspected and/or confirmed.
When it comes to taking legal action, it is essential for companies to obtain legal advice as quickly as possible following a suspected and/or confirmed data breach to address the issue, prevent further violations, and obtain appropriate relief (such as an injunction).
Websites & Social Media Companies to “Proactively Support Their Ssers”
If any implemented data scraping safeguards require processing a user’s personal information, these entities should also ensure that their processing complies with the applicable data protection or privacy law requirements in their jurisdiction.
Social media companies and other websites are encouraged to “proactively support their users so that they can make informed decisions about how they use the platform and what personal information they share.” To support this, the Joint Statement provides that they should increase “user awareness and understanding of the privacy settings they can utilize” when using such platforms and websites.
Key Takeaways for Individuals & Businesses
For individuals and businesses uploading personal information onto the internet, it is crucial to understand that data breaches can happen quickly and at any time. In short, some key takeaways from the Joint Statement include:
- Data scraping incidents can result in reportable data breaches in certain jurisdictions;
- Businesses should remain up-to-date with new developments in privacy law and regulations and should update internal procedures and policies accordingly;
- Personal information which is “publicly available” online is still subject to privacy laws in many jurisdictions. However, individuals and businesses should take proactive action to mitigate the risk of data scraping and be mindful of the information available online; and
- Social media companies and website operators that host publicly accessible personal data must be clear on their obligations under privacy and data protection laws when protecting personal information on their platforms from unlawful data scraping.
For Advice on Data Breaches, Injunctions and Complex Commercial Litigation, Contact Milosevic & Associates
At Milosevic & Associates, our experienced complex commercial litigation lawyers understand the unique challenges faced by businesses, particularly concerning technology and privacy. When it comes to issues of civil fraud, injunctive relief, data breaches, and employee fraud, our lawyers are ready to assist. Our firm prides itself on guiding clients through the most complex disputes and ensuring they are well-positioned to achieve their goals. To learn how we can help you resolve your commercial dispute, contact us by phone at 416-916-1387 or reach out to us online to schedule a confidential consultation with a member of our team.