The joint statement, issued at a time when generative AI poses new challenges to people’s data, has been sent directly to Alphabet (YouTube), ByteDance (TikTok), Meta Platforms (Instagram, Facebook and Threads), Microsoft (LinkedIn), Sina Corp (Weibo), and X Corp (X, previously Twitter).
The statement, singed by the key privacy regulators from the UK, Canada, Hong Kong, Australia, Switzerland, Norway, New Zealand, Colombia, Jersey, Morocco, Argentina and Mexico, urged social media platforms to protect users’ public posts from scraping, saying that mass data scraping incidents that harvest personal information can constitute reportable data breaches in many jurisdictions.
Scraped personal information can be exploited for various purposes, such as monetisation through re-use on third-party websites, sale to malicious actors, or private analysis or intelligence gathering, resulting in serious risks to individuals.
“In most jurisdictions, personal information that is ‘publicly available’, ‘publicly accessible’ or ‘of a public nature’ on the internet, is subject to data protection and privacy laws,” they wrote.
Social media companies and the operators of other websites that host publicly accessible personal information also have data protection obligations with respect to third-party scraping from their sites.
“SMCs and other websites are responsible for protecting individuals’ personal information from unlawful data scraping,” the privacy regulators added.
As no one safeguard will adequately protect against all potential privacy harms associated with data scraping, SMCs and other websites should implement multi-layered technical and procedural controls to mitigate the risks, they advised.
The regulators said they welcome any feedback from SMCs in the next one month, demonstrating how they comply with the expectations outlined in this joint statement.