Twelve data protection and privacy authorities from around the world, including the UK’s ICO, have issued a joint statement regarding protecting personal data from unlawful scraping from social media sites. Such activity can lead to privacy risk and potential harm to individuals. The joint statement sets expectations on organisations having a lawful basis for using data when it is publicly available.
The joint statement also features ‘Takeaways’ which are as follows:
- Personal information that is publicly accessible is still subject to data protection and privacy laws in most jurisdictions.
- Social media companies and the operators of websites that host publicly accessible personal data have obligations under data protection and privacy laws to protect personal information on their platforms from unlawful data scraping.
- Mass data scraping incidents that harvest personal information can constitute reportable data breaches in many jurisdictions.
- Individuals can also take steps to protect their personal information from data scraping, and social media companies have a role to play in enabling users to engage with their services in a privacy protective manner.
Swiss authorities have revised the 1992 The Federal Act on Data Protection (FADP) and the new regulations will come into effect on 1 September 2023. Details of the updated legislation can be found here.
Norway’s data protection authority (Datatilsynet) has published guidelines for monitoring employees via company-issued electronic equipment.
According to the official press release, “digital work tools can record large amounts of information about employees. Monitoring of employees’ electronic equipment is therefore basically illegal. […] For employees, it can be challenging to know what information is collected, what is stored and how the information is used. Employers can also use the opportunity inherent in these tools to keep an eye on their employees. In Norway, we have separate regulations that apply to employers’ access to employees’ e-mail boxes and other electronically stored material. The regulation prohibits the monitoring of employees’ use of electronic equipment”.