A group of 12 nations, including Canada, Australia, the UK and New Zealand, have issued a joint call on social media companies (SMCs) to protect personal information on their platforms from unlawful data scraping.

A statement issued week by members of the Global Privacy Assembly’s International Enforcement Cooperation Working Group (IEWG), including the Office of the Australian Information Commissioner, Australia, and Office of the Privacy Commissioner, New Zealand, included a series of “recommendations” to prevent data scraping.

Although it was pointed out that many of these recommendations are explicit statutory requirements in particular jurisdictions “or may be interpreted as such by courts and data protection authorities.”

“Social media companies and the operators of websites that host publicly accessible personal data have obligations under data protection and privacy laws to protect personal information on their platforms from unlawful data scraping,” the group said in a joint letter.

The statement has also been simultaneously delivered to Alphabet Inc. (YouTube), ByteDance Ltd (TikTok), Meta Platforms, Inc. (Instagram, Facebook and Threads), Microsoft Corporation (LinkedIn), Sina Corp (Weibo), and X Corp. (X, previously Twitter).

It states SMCs and other websites should implement multi-layered technical and procedural controls to mitigate the risks from unlawful data scraping.

A series of controls were suggested including:

• "Rate limiting" the number of visits per hour or day by one account to other account profiles, and limiting access if unusual activity is detected.
• Monitoring how quickly and aggressively a new account starts looking for other users. If abnormally high activity is detected, this could be indicative of unacceptable usage.
• Taking steps to detect scrapers by identifying patterns in "bot” activity. For example, a group of suspicious IP addresses can be detected by monitoring from where a platform is being accessed by using the same credentials from multiple locations. This would be suspicious where these accesses are occurring within a short period of time.
• Taking steps to detect bots, such as by using CAPTCHAs, and blocking the IP address where data scraping activity is identified.
• Where data scraping is suspected and/or confirmed, taking appropriate legal action such as the sending of "cease and desist" letters, requiring the deletion of scraped information, obtaining confirmation of the deletion, and other legal action to enforce terms and conditions prohibiting data scraping
• In jurisdictions where the data scraping may constitute a data breach, notifying affected individuals and privacy regulators as required.

The statement concludes by requesting that the SMCs respond with feedback within a month demonstrating how they will meet regulators' expectations. Although there is no specific information on what action will be taken if this deadline is not met.