The Netherlands: New Data Scraping Guidelines
The Dutch Data Protection Authority (AP) has recently issued new guidance on data scraping. The guide highlights the significant legal risks it poses to personal data and the restrictions required under the GDPR.
Data scraping is the automated collection and storage of information from the Internet. According to the AP, private entities and individuals perform scraping without specific consent the practice violates GDPR requirements.
The AP guidance determines that information being publicly available does not indicate consent of the data subject for any use of the data.
It clarifies that scraping is a new purpose of processing requiring consent for this purpose.
The AP concludes that the only valid legal basis under the GDPR for performing the scraping is the legitimate interest of the company.
Furthermore, when assessing the cases when a company may have a legitimate interest in performing scraping – the AP determines: scraping is almost always illegal.
There may be, according to AP, uses that can be brought in line with the GDPR, such as:
- Public news websites.
- Web pages owned by the company.
- Public online forums, etc.
The AP guidance represents a growing interest of the European regulators in the practice of scraping.
Whether other European regulators and the judiciary will accept the opinion found in the guidance remains uncertain at this early stage.
Companies who practice web-scraping should re-assess their practices when it comes to the personal data of Europeans.
****
Barnea Jaffa Lande’s Privacy, Data Protection and Cyber Department is at your service for any questions regarding the adaptation of your business activity to the provisions of privacy laws in Israel, Europe, the United States, and other jurisdictions.
Dr. Avishay Klein is a partner and heads the department.
Adv. Masha Yudashkin is an associate in the department.