Privacy Authorities Press Platforms to Protect Publicly Posted Personal Information

David Elder
Stikeman Elliott LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Stikeman Elliott LLP

The Privacy Commissioner of Canada and other international data protection authorities recently issued a joint statement urging websites and social media platforms to do more to protect personal information from unlawful data scraping.

The joint statement has implications not only for individuals and website/social network operators, but also for businesses that may review and collect personal information from publicly accessible sites in order to gather information about public perceptions of brands, products and services, as well as compiling other market intelligence. While these types of activities were not among the identified risks that apparently gave rise to the joint statement, it would appear that such market intelligence techniques could nonetheless be affected by the controls promoted by the joint statement.

Privacy laws apply to public posts

It may come as a surprise to many that most publicly accessible personal information, like that posted on the web or social networks, continues to be subject to Canadian privacy laws, meaning that consent is generally required for any collection, use or disclosure of that information. Exceptions do exist, but only for a fairly narrow set of “publicly available” personal information that is defined by regulation, such as in the Regulations Specifying Publicly Available Information, which were enacted under the federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).

In the joint statement, issued by 12 members of the Global Privacy Assembly’s International Enforcement Cooperation Working Group, the data protection authorities noted that data scraping – which involves the automated extraction of data from publicly accessible sites and platforms – poses material risks to the privacy of the individuals involved. For example, the joint statement notes that scraped personal information can be exploited for purposes such as aiding targeted cyberattacks (e.g., through social engineering or phishing), facilitating identity fraud, enabling unwanted direct marketing or spam, or, more seriously, allowing for the unauthorized monitoring, profiling and surveillance of individuals, including by foreign governments.

Platform obligations

Since publicly-posted personal information is still subject to many privacy laws, including Canada’s, the data protection authorities also noted that website and social network operators are responsible under applicable privacy laws for protecting the personal information that they host and process – including protecting it from unlawful data scraping. As techniques for scraping and exploiting scraped data are constantly evolving, the authorities stressed that protecting such information is a dynamic responsibility that requires ongoing vigilance.

These statements appear to extend the accountability obligations under Canadian privacy laws, which require organizations to protect personal information under their control, to also require organizations to protect personal information under the control of an individual user, who determines what personal information to post, where, and for how long. It remains to be seen whether Canadian courts would agree that an organization’s legal responsibility extends this far.

The statement does also note that there are certain steps that individuals can take to better protect their personal information that is posted to websites or social media platforms.

Potential safeguards

in order to mitigate the risks posed by data scraping, the authorities indicated that websites and social media platforms should implement multi-layered and procedural controls, proportionate to the sensitivity of the publicly accessible personal information. These controls could include the following:

  • Designating responsibility within the organization to identify and implement anti-scraping controls and to monitor and respond to scraping activities
  • “rate limiting” the number of visits per hour or day by one account to other account profiles, and limiting access if unusual activity is detected
  • Monitoring abnormally high search activity for other uses, particularly by new accounts
  • Identifying patterns in bot activity that could be indicative of scraping
  • Taking steps to detect bots, such as by using CAPTCHAs and blocking IP addresses from which scraping activity is identified
  • Taking appropriate legal action where scraping is suspected or confirmed (such as cease and desist letters requiring deletion of scraped data)
  • Notifying relevant authorities in jurisdictions where the data scraping may constitute a data breach
  • Proactively supporting users in making informed decisions about the personal information that they share

Many platforms already prohibit data-scraping in their terms of service, and may already monitor and address scraping that is detected on their platforms; however, the joint statement, and the Privacy Commissioner of Canada’s endorsement of it, may cause some platforms to increase their anti-scraping activity.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Stikeman Elliott LLP | Attorney Advertising

Written by:

Stikeman Elliott LLP
Stikeman Elliott LLP
Contact
more
less

Stikeman Elliott LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide