Date: 29 October 2024
Data Scraping on Social Media Raises Concerns
The PCPD, together with 15 Privacy Protection Authorities, Issues
a Global Joint Statement to Social Media Platforms
The Office of the Privacy Commissioner for Personal Data (PCPD), together with 15 privacy or data protection authorities worldwide, today issued a global joint statement (Joint Statement) on data scraping and the protection of privacy to social media platforms. The signatories include privacy or data protection authorities from Argentina, Australia, Canada, Colombia, Guernsey, Israel, Jersey, Mexico, Monaco, Morocco, New Zealand, Norway, Spain, Switzerland and the United Kingdom.
The Privacy Commissioner for Personal Data, Ms Ada CHUNG Lai-ling, said, “As concerns grow among global regulators about mass scraping of personal data, including data scraping for training artificial intelligence (AI) systems, on social media platforms, the PCPD, as the co-chair of the Global Privacy Assembly’s International Enforcement Cooperation Working Group, together with the privacy or data protection authorities of other jurisdictions, issued the Joint Statement with the aim of reminding social media platforms and websites that host publicly accessible personal data that they have a responsibility to ensure that those personal data are adequately protected against unlawful data scraping, as well as providing further guidance to the industry.”
Data scraping, which generally involves extraction of data, including the collection of data for training AI systems, from the web by automated processes, raises significant privacy concerns. It can result in personal data being sold in the dark web without the knowledge and consent of the data subject, leading to exploitation of personal data for targeted cyberattacks, identity fraud, and unwanted direct marketing or spam messages.
To provide guidance to the industry, the Joint Statement sets out the global privacy protection expectations of the signatories as follows:
-
Organisations should deploy a combination of safeguarding measures, which should be regularly reviewed and updated to keep pace with advances in scraping techniques and technologies;
-
Organisations should consider using AI technologies to enhance protections against unlawful scraping;
-
Organisations should ensure that where data scraping is permitted, such as for commercial or socially beneficial purposes, it is conducted lawfully and in compliance with contractual terms;
-
When granting lawful permission for third parties to collect publicly accessible personal data from their platforms, organisations should consider providing such access via an Application Programming Interface (API) , as it can allow the organisations greater control over the data, and facilitate the detection and mitigation of unauthorised scraping; and
-
Organisations should comply with data protection and privacy laws as well as applicable guidance materials when using personal data, including those from their own platforms, to develop AI models. In this regard, organisations in Hong Kong should, in particular, take note of the “Guidance on the Ethical Development and Use of AI” and “AI: Model Personal Data Protection Framework” issued by the PCPD in August 2021 and June 2024 respectively, and relevant industry guidelines.
The Joint Statement can be downloaded
here.
Background
In August 2023, the PCPD, together with 11 privacy or data protection authorities from Argentina, Australia, Canada, Colombia, Jersey, Mexico, Morocco, New Zealand, Norway, Switzerland and the United Kingdom, issued an
initial joint statement to social media platforms and other websites that host publicly accessible personal data about global expectations on privacy protection.
The initial joint statement was sent to various companies running major social media platforms, including Alphabet Inc. (YouTube), Meta Platforms, Inc. (Instagram, Facebook and Threads), Microsoft Corporation (LinkedIn) and X Corp. (X) etc.
Subsequently, the signatories had discussions with the aforementioned companies that operate social media platforms as well as with industry representatives on the global expectations on privacy protection promulgated in the initial joint statement. During the process, social media companies indicated to the signatories that they had implemented many of the measures that were identified in the initial statement, as well as further measures that could form part of a dynamic multi-layered approach to better protecting against unlawful data scraping. The signatories today issued the concluding report to provide further guidance to social media platforms and other websites that host publicly accessible personal data.
-End-