New Guidance on Scraping of Publicly Available Personal Data Published by French Privacy Regulator
5 May 2020
Technology & eCommerce Regulation in the Spotlight
The French Supervisory Authority (“CNIL”) published new guidance on the scraping and extraction of personal data from publicly available databases and web pages using automated tools, and the reusing of such data for direct marketing purposes. The guidance was issued after several complaints concerning such practices were received by the CNIL.
The CNIL carried out several inspections in the previous year revealing breaches of the General Data Protection Regulation (“GDPR”) and the French Data Protection Act. In its inspections, the CNIL observed number of companies that used tools, such as web scraping, to automatically collect data subjects’ contact information from public spaces on the internet, without providing any notice to or obtaining the consent of the data subjects.
In its guidance, the CNIL reminds data controllers that such contact data, although publicly available, is considered personal and cannot be freely reused or processed by any data controller without complying with the GDPR’s requirements, including with respect to providing adequate notice and respecting data subject rights. Accordingly, companies that scrape personal data from public web domains must adhere to the basic data protection principles.
According to the guidance, companies that scrape personal data shall obtain the freely given, specific, informed and unambiguous consent of data subjects before using it for marketing purposes. The CNIL emphasizes that when data subjects are sharing the personal data with one data controller, they do not expect the data will be reused by another controller and hence such practice requires their consent. In addition, when scraping, companies must respect the data subjects’ right to object to the processing of their personal data as it is provided in the GDPR. To do so, web scraping tools must not collect data of individuals included in opt-out lists from telecom operators or in France’s BLOCTEL system.
The CNIL also recommended taking the following steps before using web scraping tools:
- Minimizing data collection – as with any other processing of personal data, the collection of data shall be reduced to what is strictly necessary. Companies using web scraping software must avoid collecting irrelevant or excessive data, in particular if the data is of sensitive nature;
- Informing affected individuals – companies using web scarping tools shall provide notice to data subjects whose data will be extracted, at the latest at the time of the first communication between the company and the data subject. The notice must contain the information listed in Article 14 of the GDPR and the source of personal information in particular;
- Establishing contractual relationships with service providers – when companies are hiring the services of web scraping service providers to scrape personal data on their behalf, they must ensure that the service providers comply with the measures described in the guidance. In addition, companies shall make sure that their processors are complying with the requirements of the GDPR and sign data protection agreements as required by article 28 of the GDPR.
- Performing Data Protection Impact Assessments (“DPIA”) – in certain situations a DPIA is compulsory before the processing of personal data is carried out, as required by article 35 of the GDPR. However, the CNIL states that even if a DPIA is not required, it is a good practice carry out one before scraping personal data.
On the same matter, we previously reported on the case of LinkedIn v. HiQ Labs, in which the US Court of Appeal of the Ninth Circuit ruled against LinkedIn in a case involving the access to and scraping of data (including personal data) from Linkedin’s social network by HiQ Labs.
Feel free to contact us with any further question or comments regarding the update and subjects detailed above.
Ariel Yosefi, Partner
Head of Technology & eCommerce Regulation
Herzog Fox & Neeman