Online platforms under greater scrutiny to address unlawful data scraping
29 August 2023
29 August 2023
The Office of the Australian Information Commissioner (OAIC) and eleven other data protection and privacy regulators issued a joint statement that operators of platforms (especially social media platforms) and other publicly accessible sites have obligations to protect publicly available personal information from unlawful data scraping, and that data scraping incidents can constitute notifiable data breaches.
This is a significant shift in regulatory focus from clamping down on those that unlawfully collect personal information through scraping (such as Clearview AI, Inc) to placing greater regulatory scrutiny on the obligations of operators of online sites and platforms (particularly those with significant or sensitive datasets) that host publicly accessible personal information to protect personal information hosted on their websites or platforms from unlawful data scraping.
The joint statement is targeted not only at social media sites but also any other operators of websites and platforms that host publicly accessible information such as operators of online forums and sites where paid subscribers can through their subscription access personal information of individuals posted on the service platform.
Where the publicly available personal information that was the subject of unlawful data scraping contains sensitive personal information (such as health information or biometric information) or government identifiers (such as passport numbers or medicare numbers), there is a higher risk of harm to individuals resulting from the misuse and interference of such personal information which in turn is more likely to result in the scraping constituting a notifiable data breach under Australia's Privacy Act 1988 (Cth) (Privacy Act).
Under the Privacy Act, the OAIC can undertake an investigation whether there has been an interference with an individual's privacy and make a determination accordingly. Enforcement steps by the OAIC may include obtaining enforceable undertakings, legal proceedings to seek the imposition of civil penalties and the payment of compensation to affected individuals. The OAIC and third parties may also seek injunctions to restrain breaches of the Privacy Act.
Operators of platforms and websites that host publicly accessible personal information should:
Authors: Tim Brookes, Partner; Kendrick Deng, Lawyer; and Andrew Hilton, Expertise Counsel.