More than a year after their joint statement calling on social media companies (SMCs) to protect personal information on their platforms from unlawful data scraping, an expanded group of global privacy authorities has outlined progress so far.

The group, which includes Australia and New Zealand among 16 other global data protection authorities, has also issued a followup statement which adds further expectations sent to the parent companies of social media companies (SMCs) YouTube, TikTok, Instagram, Threads, Facebook, LinkedIn, Weibo, and X (the platform formerly known as Twitter).

The statement includes a recommendation that “To effectively protect against unlawful scraping, organizations should deploy a combination of safeguarding measures, and those measures should be regularly reviewed and updated to keep pace with advances in scraping techniques and technologies.”

The challenge of doing so was highlighted by outlining results from engagement with (SMCs) since the initial statement was released in 2023, which called on industry to identify and implement controls to protect against, monitor for, and respond to data scraping activities on their platforms, including by taking steps to detect bots and block IP addresses when data scraping activity is identified, among other measures.

“In the Initial Statement, the co-signatories highlighted the need for SMCs and other organizations to implement a multi-layered approach to protecting publicly accessible data on their platforms from unlawful scraping.

“Through our engagements that followed the issuance of that statement, we established that, while SMCs face challenges in protecting against unlawful scraping (such as increasingly sophisticated scrapers, ever-evolving advances in scraping technology, difficulty in differentiating scrapers from authorized/lawful users, and the need to maintain a user-friendly interface), they are motivated to protect against unauthorized scraping.”

“… we also learned of further measures, beyond those detailed in the Initial Statement, that organizations employ to protect against data scraping, such as the implementation of platform design elements that make it harder to scrape data using automation (e.g., random account URLs, random interface design elements, and tools to detect and block malicious internet traffic).

“We learned that the rapid emergence of AI can represent a threat to privacy. SMCs told us that scrapers are now using AI to scrape data more effectively (e.g., via “intelligent” bots that can simulate real user activity). At the same time, SMCs explained that they too are employing AI to better detect and protect against unauthorized scraping, highlighting that innovative AI tools can also be part of the solution.

“Ultimately, the co-signatories learned that while no measure is guaranteed to protect against all unlawful scraping — since sophisticated low-volume scraping can often resemble user activity — a multi-layered and dynamic combination of safeguards can be particularly effective in protecting against mass scraping and the amplified harms that can result when a large volume of data subjects are affected.

“Data scraping is a complex, broad and evolving issue that is, and will stay on the radar of data protection authorities. It should also be a focus for other stakeholders that have a role in protecting privacy, including those with whom we engaged in the course of this initiative. The co-signatories will continue to work to promote compliance in this area, including via future engagement with concerned stakeholders, complementary policy development, public education campaigns, and enforcement, including collaborative enforcement.

The follow-up joint statement lays out further expectations, including that organisations:

• comply with privacy and data protection laws when using personal information, including from their own platforms, to develop AI large language models

• deploy a combination of safeguarding measures and regularly review and update them to keep pace with advances in scraping techniques and technologies

• ensure that permissible data scraping for commercial or socially beneficial purposes is done lawfully and in accordance with strict contractual terms.

Read the full statement HERE