Logo
Media Centre

New Guidance on Scraping of Publicly Available Personal Data Published by French Privacy Regulator

Ariel Yosefi

5 May 2020

05/05/2020

Technology & eCommerce Regulation in the Spotlight

The French Supervisory Authority (“CNIL”) published new guidance on the scraping and extraction of personal data from publicly available databases and web pages using automated tools, and the reusing of such data for direct marketing purposes. The guidance was issued after several complaints concerning such practices were received by the CNIL.

The CNIL carried out several inspections in the previous year revealing breaches of the General Data Protection Regulation (“GDPR”) and the French Data Protection Act. In its inspections, the CNIL observed number of companies that used tools, such as web scraping, to automatically collect data subjects’ contact information from public spaces on the internet, without providing any notice to or obtaining the consent of the data subjects.

In its guidance, the CNIL reminds data controllers that such contact data, although publicly available, is considered personal and cannot be freely reused or processed by any data controller without complying with the GDPR’s requirements, including with respect to providing adequate notice and respecting data subject rights. Accordingly, companies that scrape personal data from public web domains must adhere to the basic data protection principles.

According to the guidance, companies that scrape personal data shall obtain the freely given, specific, informed and unambiguous consent of data subjects before using it for marketing purposes. The CNIL emphasizes that when data subjects are sharing the personal data with one data controller, they do not expect the data will be reused by another controller and hence such practice requires their consent. In addition, when scraping, companies must respect the data subjects’ right to object to the processing of their personal data as it is provided in the GDPR. To do so, web scraping tools must not collect data of individuals included in opt-out lists from telecom operators or in France’s BLOCTEL system.

The CNIL also recommended taking the following steps before using web scraping tools:

  • Verifying the nature and origin of the data – the CNIL notes that scraping and extracting data from websites that prohibit in their terms of use the extraction and reuse of data is unlawful;
  • Minimizing data collection – as with any other processing of personal data, the collection of data shall be reduced to what is strictly necessary. Companies using web scraping software must avoid collecting irrelevant or excessive data, in particular if the data is of sensitive nature;
  • Informing affected individuals – companies using web scarping tools shall provide notice to data subjects whose data will be extracted, at the latest at the time of the first communication between the company and the data subject. The notice must contain the information listed in Article 14 of the GDPR and the source of personal information in particular;
  • Establishing contractual relationships with service providers – when companies are hiring the services of web scraping service providers to scrape personal data on their behalf, they must ensure that the service providers comply with the measures described in the guidance. In addition, companies shall make sure that their processors are complying with the requirements of the GDPR and sign data protection agreements as required by article 28 of the GDPR.
  • Performing Data Protection Impact Assessments (“DPIA”) – in certain situations a DPIA is compulsory before the processing of personal data is carried out, as required by article 35 of the GDPR. However, the CNIL states that even if a DPIA is not required, it is a good practice carry out one before scraping personal data.

 

On the same matter, we previously reported on the case of LinkedIn v. HiQ Labs, in which the US Court of Appeal of the Ninth Circuit ruled against LinkedIn in a case involving the access to and scraping of data (including personal data) from Linkedin’s social network by HiQ Labs.

****************************************

Feel free to contact us with any further question or comments regarding the update and subjects detailed above.

Kind regards,

Ariel Yosefi, Partner

Head of Technology & eCommerce Regulation

Herzog Fox & Neeman

 

Related Practice Areas

Related Lawyers

More news

Nebraska is the 17th US State to Adopt Comprehensive Data Protection Legislation
Maryland is the 16th US State to Pass Comprehensive Consumer Privacy Legislation
Kentucky is the 15th US State to Adopt Comprehensive Data Protection Legislation
JOIN OUR
Newsletter

    © 2020, All rights reserved, Herzog Law
    Site by Gootte

    The information contained in this web site is provided for informational purposes only and should not be construed as legal advice on any subject matter and should not be relied upon as such. Herzog accepts no responsibility for any consequences whatsoever arising from use of the information contained in this web site. The accessing of information contained in this web site shall under no circumstances be considered as creating an attorney-client relationship between Herzog and any party accessing this web site. Contacting through email any lawyer named in this web site or sending information without prior agreement of Herzog shall not be construed as automatically creating an attorney-client relationship between Herzog and the party sending an email or information. The material contained in this web site has been created by and remains the property of Herzog. No reproduction, transmission, publication or any other form of dissemination shall be permitted unless the prior written consent of Herzog has been obtained. This web site may contain links to other web sites operated by third parties. Herzog does not sponsor, approve or endorse the content of any such web site and is not responsible for the materials appearing in such sites.

    Search by
    Search by +

    Search