Regulators representing a dozen international privacy watchdogs, including the UK’s ICO, Canada’s OPC, and Hong Kong’s OPCPD, have issued a joint statement calling on mainstream social media platforms to safeguard users’ public posts from scraping. Regulators stressed that internet-public personal data is subject to privacy laws in most places. Those scraping such data and the platforms hosting it share responsibilities to ensure compliance with these laws. Mass data scraping could qualify as a reportable data breach in various jurisdictions.
The regulators emphasized privacy risks: cyberattacks, fraud, unauthorized surveillance, and political use due to data scraping. While the statement didn’t explicitly reference AI model training, the regulators pointed out that generative AI models relying on scraped data could be exploited for malicious purposes.
The statement’s timing aligns with growing interest in data-intensive generative AI models, possibly fueling increased scraping. Notably, high-profile AI models like OpenAI’s ChatGPT have relied on online data for training, leading to concerns about data privacy. A class-action lawsuit against OpenAI alleges secret scraping of personal data.
The regulators directly communicated the statement to major social media platforms, including Alphabet, ByteDance, Meta, Microsoft, Sina Corp, and X. The statement advises platforms to assess the legality of scraping practices within their jurisdictions. Additionally, it urges them to implement measures to guard against unlawful data scraping.
To minimize data scraping risks, recommended measures include setting up in-house teams to handle scraping risks, limiting access rates, and monitoring unusual activity. Additionally, they involve detecting bot patterns and taking legal action against scrapers. The regulators encouraged platforms to respond within a month, demonstrating their commitment to meeting the expectations outlined in the statement.
While stressing the significance of data protection, the regulators did not directly threaten enforcement actions in the statement, which could potentially dilute its impact. The regulators also advised individuals to be cautious about sharing personal information online and suggested using privacy settings.
The joint statement globally underscores rising concerns over data scraping, especially in AI training and cyber threats.