On October 28, 2024, the Office of the Privacy Commissioner of Canada (“OPC”) issued a Concluding Joint Statement on data scraping and privacy protection.[1] This document outlines the expectations for organizations to safeguard individuals against the risks posed by unlawful data scraping. The October Concluding Joint Statement builds on the Initial Joint Statement released on August 24, 2023 (the “Initial Statement”), reinforcing the obligations of organizations to protect individuals from such activities while sharing insights from engagements with Social Media Companies (“SMCs”) and other industry stakeholders.[2] Both statements address the automated extraction of personal data from the web, underscoring that publicly accessible personal information falls under data protection and privacy laws.

The Initial Statement was originally published by 12 members of the International Enforcement Working Group (IEWG) and later received endorsements from two additional members, resulting in a total of 16 co-signatories for both the Initial and Concluding Statements.

Engagement with industry:

Following the release of the Initial Statement, the co-signatories consulted with major tech/social media companies. These discussions focused on compliance with the outlined expectations and included input from the Mitigating Unauthorized Scraping Alliance (MUSA) and a commercial data scraping company advocating lawful data collection practices. Through these interactions, the co-signatories were able to engage meaningfully with industry stakeholders, fostering dialogue on data and privacy protection. They aim to share lessons learned from these discussions and outline further expectations for organizations that manage publicly accessible personal data.

Lessons learned and expectations

Protecting personal data:

The co-signatories reaffirmed that all organizations, especially SMCs, must adopt a multi-layered strategy to protect publicly available personal data. Without limitations, this includes:

  • Designating teams to oversee data protection efforts.
  • Implementing rate limiting to control access frequency.
  • Utilizing CPATCHAs and IP blocking to detect and deter scraping.
  • Taking legal action when unauthorized scraping is suspected.
  • Monitoring threat landscape and new technologies to develop safeguards accordingly.

While SMCs have made strides in these areas, challenges remain. Increasingly sophisticated scraping technologies and the rise of AI-driven bots complicate detection efforts. However, SMCs also leverage AI for improved security measures, illustrating the dual-edged nature of technology in this context.

Supporting small and medium enterprises (“SMEs”):

SMEs, often lacking the resources of larger corporations, also bear responsibility for protecting personal data. They can implement cost-effective measures such as bot detection and rate limiting, and can engage third-party providers for additional support. Nonetheless, using such services does not absolve SMEs from their legal obligations to safeguard data.

Authorized and lawful scraping

Some SMCs may permit scraping under specific conditions, typically outlined in their Terms of Service. However, such contractual measures must be coupled with proactive compliance efforts to ensure that all data usage aligns with privacy laws. Organizations must not only set these terms but also actively monitor compliance to mitigate risks of unauthorized use.

Facilitating research and other social good

There are circumstances where SMCs must provide access to data for research or other beneficial purposes, often facilitated through APIs (Application Programming Interfaces). While this can support important initiatives, organizations must ensure compliance with applicable data protection laws, verifying that any data sharing is lawful and respects user privacy. It’s important to note that not all data protection laws allow for exceptions related to public interest or research, and where such exceptions exist, they may have limitations.

Conclusion

The conversation surrounding data scraping continues to evolve, especially with the emergence of generative AI. Both the Initial and Concluding Statements highlight the necessity of protecting publicly accessible personal information from unauthorized scraping, a responsibility shared by all organizations, not just SMCs.

The co-signatories emphasize the importance of implementing adequate safeguards to avoid regulatory scrutiny and potential enforcement actions. As the landscape of data protection shifts, ongoing collaboration among stakeholders will be crucial to navigate these challenges effectively. Organizations are encouraged to engage with regulatory bodies and each other to share strategies and best practices in safeguarding personal data against unlawful scraping.

If you have any questions or would like guidance on how this statement impacts you or your organization, please contact a member of the Miller Thomson LLP Technology, IP and Privacy Group.


[1] International Enforcement Cooperation Working Group, “Concluding joint statement on data scraping and the protection of privacy” (28 October 2024), online: Office of the Privacy Commissioner of Canada <www.priv.gc.ca/en/opc-news/speeches/2024/js-dc_20241028/>.

[2] International Enforcement Cooperation Working Group, “Joint statement on data scraping and the protection of privacy” (24 August 2023), online: Office of the Privacy Commissioner of Canada <www.priv.gc.ca/en/opc-news/speeches/2023/js-dc_20230824/>.