On October 28, 2024, the Office of the Privacy Commissioner of Canada issued its Concluding Joint Statement on Data Scraping and the Protection of Privacy (the Concluding Statement) with its co-signatories, building on the Joint Statement on Data Scraping and the Protection of Privacy (the Initial Statement) issued on August 24, 2023.
The Initial Statement outlined the privacy concerns relating to the use of personal information scraped from the web and suggested security controls for social media companies (SMCs) for protecting against data scraping, as previously reported by the E-TIPS® Newsletter here. The signatories of the Initial Statement engaged with SMCs and industry stakeholders to develop key takeaways on the challenges in protecting personal information from mass data scraping, including through the use of artificial intelligence (AI).
The Concluding Statement reiterated that organizations should deploy several safeguarding measures against data scraping and should regularly review these measures to keep up with advances in scraping technologies. It also emphasized that the obligation to protect against data scraping applies to large corporations and small and medium enterprises, with lower-cost security measures available to small and medium enterprises to meet this obligation.
The Concluding Statement notes that where SMCs are permitted to contractually authorize data scraping of personal information on their platforms, the contractual terms do not necessarily render the data scraping lawful. SMCs and other organizations are encouraged to implement monitoring and enforcement schemes to continually ensure authorized scraping of personal information is lawful. Any data scraping arrangement permitted by a SMC or other organization for any purpose, including commercially and socially beneficial purposes, must have:
- A lawful basis for scraping personal information;
- Transparency about the permissible scraping; and
- Consent, where required by law.
Lastly, the Concluding Statement identified AI as a key detection-evading tool in sophisticated data scraping schemes, while also potentially providing a solution for enhancing protections against scraping. The Concluding Statement outlined that SMCs must comply with data protection and privacy laws, as well as any AI-related laws, when using scraped data sets from their own platforms to train AI, such as large language models.
Summary By: Amy Ariganello
E-TIPS® ISSUE
Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.
E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.
