By Commander Mukesh Saini (Retd.)
On 24th August 2023, twelve data protection and privacy authorities from around the world have published a joint statement calling for the protection of people’s personal data from unlawful data scraping taking place on social media sites.
The joint statement published had set the expectations for how social media companies should protect people’s data from unlawful data scraping. It also recommends steps people can take to minimise risks when sharing information online.
Some of the important issues discussed in the joint meeting of the Personal Data Supervisory Authorities were:
“1. Data scraping generally involves the automated extraction of data from the web. Data protection authorities are seeing increasing incidents involving data scraping, particularly from social media and other websites that host publicly accessible data.
2. The capacity of data scraping technologies to collect and process vast amounts of individuals’ personal information from the internet raises significant privacy concerns, even when the information being scraped is publicly accessible.
3. In most jurisdictions, personal information that is “publicly available”, “publicly accessible” or “of a public nature” on the internet, is subject to data protection and privacy laws. Individuals and companies that scrape such personal information are therefore responsible for ensuring that they comply with these and other applicable laws. However, social media companies and the operators of other websites that host publicly accessible personal information (SMCs and other websites) also have data protection obligations with respect to third-party scraping from their sites. These obligations will generally apply to personal information whether that information is publicly accessible or not. Mass data scraping of personal information can constitute a reportable data breach in many jurisdictions.
4. Scraped personal information can be exploited for various purposes, such as monetization through re-use on third-party websites, sale to malicious actors, or private analysis or intelligence gathering, resulting in serious risks to individuals as explained further below. 5. SMCs and other websites should carefully consider the legality of different types of data scraping in the jurisdictions applicable to them and implement measures to protect against unlawful data scraping.”
Recently the Information Security Commissioner of Ireland had imposed fine in the amount of €1.2 billion (more than ten thousand Crores in Indian Rupees) on Meta (Facebook) for insufficient legal basis for data processing.
Data scraping is an automated way to pull large amounts of information from the web including social media sites. Data scraping creates privacy risks and potential harms, such as the information people post online being used for reasons they don’t expect, exploited in cyberattacks or used for identity fraud.
Data scraping is dangerous to an individual in many ways than one. The biggest threat is identity theft. Cyber criminals can create an effective and almost complete profile of a person. Using this profile attack can be structured to create an almost real like profile for undertaking nefarious activities. The profile can also be used to takeover accounts (financial as well as digital) using approach like forgot password or talking to help desk and convincing the helpdesk that the fraudster is the real person. Another way is to use scaped personal data to convince near and dear ones to partway with money as if to help that person in distress. The list is endless and depends on innovativeness of cybercriminals.
The threats listed in the above-mentioned joint statement of world's’ personal data protection authorities are:
“In recent years, many data protection authorities have seen increased reports of mass data scraping from SMCs and other websites. The reports raise a number of privacy concerns, including the use of scraped data for:
Targeted cyberattacks – for example, scraped identity and contact information posted on ‘hacking forums’ may be used by malicious actors in targeted social engineering or phishing attacks.
Identity fraud – scraped data may be used to submit fraudulent loan or credit card applications, or to impersonate the individual by creating fake social media accounts.
Monitoring, profiling and surveilling individuals – scraped data may be used to populate facial recognition databases and provide unauthorised access to authorities.
Unauthorised political or intelligence gathering purposes – scraped data may be used by foreign governments or intelligence agencies for unauthorised purposes.
Unwanted direct marketing or spam – scraped data may include contact information that can be used to send bulk unsolicited marketing messages
More broadly, individuals lose control of their personal information when it is scraped without their knowledge and against their expectations. For example, data scrapers may aggregate and combine scraped data from one site with other personal information, and use it for unexpected purposes. This can undermine individuals’ trust in the SMC or other websites, with potentially detrimental impacts on the digital economy. Moreover, even if individuals decide to delete their information from a social media account, data scrapers will likely continue using and sharing information they have already scraped, limiting individuals’ control over their online presence and reputation”
Under personal data protection laws of all the countries if do not cover data scraping as a breach, but nowhere it is specifically exempted except under new law of India, the Digital Personal Data Protection Act 2023.
Section 3(c) (ii) of the Digital Personal Data Protection Act specifically states that the law will not apply
“(ii) personal data that is made or caused to be made publicly available by—
(A) the Data Principal to whom such personal data relates; or
(B) any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.”
According to several judgements by Indian courts especial in defamation cases, it is standard acceptance, if a communication has more than two persons in it then it is in public and defamation law applies. Hence any information share on Facebook wall or group of WhatsApp is public information. The details shared on LinkedIn are public. Any information shared in blog, comments, public grievances are all publicly available personal data. And if this data is scrapped manually or automatically then it is not covered under DPDPA 2023, and such collector is not a data fiduciary and cannot be penalised and such person is safe from penalties.
Please see this video by NDTV and note at time 5:20 mintes onward as to how cybercriminals uses publicly available (Scraped Data) information to commit crime:
And see how the law is toothless against these criminals. Please note the sheer helplessness of the law enforcement agencies at 21:40 minutes onward. Sadly, an opportunity to tame these criminals was lost by categorically keeping such public data out of reach of the Digital Personal Data Protection Act 2023. The fear of penalties is also no more there. Social Media platforms will take no measures to protect such data.
Therefore, in author’s humble view, by specially keeping personal data in public domain out of the scope of the Digital Personal Data Protection Act, 2023 is anti-thesis of what world is doing and by de-criminalising it, the support from civil and criminal laws is also removed unless actual criminal act happens. There can be no way to estimate as to how much loss a person may suffer from such breach, hence no compensation can be processed for unknown and arbitrary future loss. It will be nearly impossible to convince any civil court for seeking compensation. There is no provision for compensation to data Principal under the DPDPA 2023
Can the situation be retrieved through rules or notification? It seems near impossible because rules and notifications will be bound by the Section 3(c)(ii)(A).
#DataScraping #Data #GDPR #ICO #InformationComissioner #DPDPA #DigialPersonalDataProtectionAct #DPDPA2023 #Personal #PersonalDataProtection #Law #EuropeanUnion #Scraping #Meta #LinkedIn #WhatsApp #Instagram #Google #PublicInformation #SocialMedia #SMP