A band of 12 nations have issued a joint statement warning against the use of data scraping technologies to collect personal data from social media platforms and other online sites, which are required by local laws to safeguard their users' information.
They note that data scraping increasingly is used to gather and process vast amounts of individuals' personal information from the internet, raising significant privacy concerns as these technologies can be exploited for various purposes. These include monetization through reselling of the data to third-party websites, identity fraud, and threat intel gathering to facilitate malicious cyber attacks, according to the statement.
The 12 nations include Australia, Canada, the UK, Hong Kong, and Switzerland, whose respective data privacy agencies were cited in the statement.
The Office of the Australian Information Commissioner (OAIC) said it had observed in recent years increased reports of mass data scraping from social media applications and other websites that host publicly accessible personal information. It pointed to a 2020 case involving US facial recognition platform Clearview AI, which the OAIC and the UK Information Commissioner's Office determined had breached Australia's privacy laws.
Under the country's Privacy Act 1988, organizations must take "reasonable steps" to protect personal data they hold from misuse, interference, loss, unauthorized access, and modification. These include actions as a result of unlawful data scraping, the OAIC said, adding that affected individuals must be notified when a data breach involving information collected through data scraping technologies is likely to result in serious harm to the individual.
Personal data that is publicly accessible is still subject to data protection and privacy regulations in most jurisdictions, the statement noted.
"Social media companies and the operators of websites that host publicly accessible personal data have obligations under data protection and privacy laws to protect personal information on their platforms from unlawful data scraping," it said. "Mass data scraping incidents that harvest personal information can constitute reportable data breaches in many jurisdictions."
The 12 nations said they were expecting to gather feedback from companies that operate social media platforms, "over the coming weeks", on how they were complying or making plans to comply with the "expectations and principles" outlined in their joint statement.
The statement encompassed common global data protection practices that aim to help safeguard personal data against data scraping and mitigate the impact on personal privacy. While these are outlined as recommendations, the 12 nations stressed that many of the practices are "explicit statutory requirements" in specific jurisdictions.
They added that their joint statement had been sent directly to several of these websites, including Alphabet's YouTube, ByteDance's TikTok, Meta-owned platforms including Facebook and Threads, Sina's Weibo, X (formerly called Twitter), and Microsoft's LinkedIn.
The list of measures that the 12 nations expect these sites to take include "rate limiting" the number of visits per hour or day by a single account to other account profiles, and designating a specific team or roles within the organization to identify and implement controls in response to scraping activities.
Social media and websites that own personal data also should take steps to detect scrapers by identifying patterns in bot activities and take appropriate legal action, such as sending "cease and desist" letters and requiring the removal of scraped data, when illegal data scraping activities are identified.
These sites should implement "multi-layered technical and procedural controls to mitigate risks", the 12 nations said.
"Given the dynamic nature of data scraping threats, social media platforms and other websites should continuously monitor for, and respond with agility to, new security risks and threats from malicious or other unauthorized actors to their platform," they added. "Controls should be routinely stress-tested and updated to ensure they remain effective and keep pace with changing technologies."
The websites also should collect and analyze metrics on scraping incidents to identify areas of improvement in their security control approach, the nations said.