Global Privacy Regulators Strengthen Stance on Data Scraping Risks, Issue New Compliance Guidelines

Global data protection authorities have issued a follow-up joint statement highlighting new measures for social media companies to enhance protections for personal information, as mass data scraping continues to pose risks, particularly in the age of artificial intelligence. This latest statement reflects insights from recent discussions between 17 data protection authorities and some of the largest social media platforms, deepening the collaboration initially sparked by a joint statement on data scraping in 2023.

Data scraping—automated processes that extract information from websites and social media platforms—remains a significant privacy risk, as it frequently involves the unauthorized collection of publicly accessible personal information. This information, often gathered on a mass scale, has been used to fuel artificial intelligence (AI) systems and large language models, sparking regulatory concerns about data protection compliance.

The original 2023 statement from global privacy authorities urged social media companies to implement robust controls to detect, prevent, and respond to scraping activities, including the use of bot-detection tools and IP blocking. Since then, global privacy authorities, including those from the UK, EU, and other regions, have engaged in extensive discussions with platform providers like YouTube, TikTok, Instagram, Threads, Facebook, LinkedIn, Weibo, and X (formerly Twitter), as well as with the Mitigating Unauthorized Scraping Alliance, a coalition focused on combating unauthorized data scraping.

This new joint statement expands on initial recommendations, urging social media companies to strengthen their anti-scraping frameworks by focusing on the following areas:

• Compliance with Privacy Laws for AI Development: Companies are called to ensure that any use of scraped personal data to support AI systems, such as large language models, fully complies with data protection regulations. This entails limiting data scraping activities to lawful purposes and ensuring that AI development does not come at the expense of privacy standards.
• Advanced and Adaptable Safeguarding Measures: The statement underscores the need for a dynamic approach to counteract evolving scraping techniques. Social media platforms are encouraged to regularly review and upgrade their data protection measures, integrating technological advancements to address increasingly sophisticated scraping tactics.
• Lawful Data Scraping with Contractual Safeguards: For instances where data scraping is permissible, such as for commercial or socially beneficial projects, the statement emphasizes that companies must operate within the bounds of strict contractual agreements to avoid unlawful data extraction.

The joint statement from global regulators further encourages companies to adopt design features that make automated scraping more challenging, and to leverage AI and cost-effective safeguards, making compliance feasible for small and medium-sized enterprises (SMEs).

Insights from Industry Engagement and Challenges in Data Protection

Ongoing dialogue between privacy authorities and social media companies has highlighted the inherent challenges these platforms face in combatting unauthorized data scraping. Authorities noted the increasing sophistication of scraping technologies and the difficulty of distinguishing malicious scrapers from legitimate users. Social media companies have largely confirmed that they have integrated many of the recommended safeguards from the initial statement and have added multi-layered strategies to enhance data security.

Among the more innovative responses included in the follow-up statement are platform design elements that deter automated scraping and AI-driven solutions that allow for rapid adaptation to new scraping threats. For SMEs, which may have limited resources, the statement points to affordable tools and solutions to meet safeguarding obligations effectively.

Data Protection in a Data-Driven World

As AI continues to drive innovation, the risk of data scraping is likely to remain a core challenge in the digital landscape. The recent engagement between global data protection authorities and social media companies underscores the importance of proactive measures, adaptable frameworks, and cross-industry collaboration to safeguard personal information effectively. For social media companies, the guidance offers both a roadmap and a call to action, while reminding them of their regulatory responsibilities in an era where data serves as a critical resource for technology and AI development.

The joint statement sets forth a clear path for organizations to navigate the intricacies of data protection in the context of both AI and social media, aiming to strike a balance between innovation and privacy. As regulators continue to monitor compliance and adapt to technological advancements, this collaborative effort marks a significant step toward a more privacy-resilient digital ecosystem.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.