News release

Social media companies should take steps to prevent unlawful data scraping, global privacy authorities say

Amid growing concerns about mass data scraping of online personal information, the Office of the Privacy Commissioner of Canada (OPC) and other data protection authorities from around the globe are calling on the world’s largest social media companies to take steps to better protect personal information.

In a joint statement issued today, the data protection authorities set out how the world’s largest social media companies and other operators of websites that host publicly accessible personal information should ensure that individuals are protected from unlawful data scraping.

Data scraping – which involves the automated extraction of data from the web – poses an important risk to the privacy of Canadians. Scraped personal information has been used for targeted cyberattacks, identity fraud, creating facial recognition databases, unauthorized police intelligence gathering, and unwanted direct marketing and spam.

For example, a 2021 investigation by the OPC and three provincial counterparts found that Clearview AI’s scraping of billions of images of people from across the Internet represented mass surveillance of Canadians.

“International collaboration is critical to promoting and protecting privacy rights in the digital realm and addressing emerging issues such as mass data scraping, which can present a significant risk to fundamental privacy rights,” said Privacy Commissioner of Canada Philippe Dufresne.

The joint statement, an initiative of the Global Privacy Assembly’s (GPA’s) International Enforcement Cooperation Working Group, is signed by Commissioner Dufresne and representatives from 11 other members of the GPA.

The statement has been shared with the parent companies of YouTube, TikTok, Instagram, Threads, Facebook, LinkedIn, Weibo and X (the platform formerly known as Twitter).

The document sets out several steps that social media companies and other websites that host publicly accessible personal information should take to mitigate the risks to individuals. These include:

• Designating a team and/or specific roles within the organization to identify and implement controls to protect against, monitor for, and respond to scraping activities;
• Monitoring how quickly and aggressively a new account starts looking for other users to detect abnormally high activity that may indicate unacceptable usage;
• Taking steps to detect bots and blocking IP addresses when data scraping activity is identified; and
• Taking appropriate legal action in cases where data scraping is suspected or confirmed.

The statement notes that there are certain steps that individuals can take to better protect their own personal information. These include, being cautious to limit the online sharing of sensitive personal information, and reading the privacy policy and other information provided by a social media company or other website about how they share personal information.