ICO to publish joint statement on data scraping and data protection

The Information Commissioner’s Office (ICO) and eleven other data protection and privacy authorities from around the world have published a joint statement calling for the protection of people’s personal data from unlawful data scraping taking place on social media sites.

Data scraping is an automated way to pull large amounts of information from the web. Scraping from social media creates privacy risks and potential harms, such as the information people post online being used for reasons they don’t expect, exploited in cyberattacks or used for identity fraud.

The joint statement published today sets expectations for how social media companies should protect people’s data from unlawful data scraping. It also recommends steps people can take to minimise risks when sharing information online.

Stephen Bonner, ICO Deputy Commissioner for Regulatory Supervision: “This joint statement helps provide certainty, and consistency across borders, in how data protection applies to information people post online. Organisations must have a lawful reason for collecting and using people’s data, even when it is publicly available. Social media companies have obligations under UK data protection law to protect the information people post on their platforms. We are seeing increased reports of mass data scraping from social media and remind organisations that such incidents may require reporting to the ICO as a personal data breach.”

The ICO is the UK's independent body set up to uphold information rights.

Link to the Joint statement on data scraping and the protection of privacy


The joint statement is signed by twelve authorities brought together by the Global Privacy Assembly. Social media companies are invited to respond and demonstrate how they protect people from unlawful scraping.

The signatories of the joint statement are:

Office of the Australian Information Commissioner

Office of the Privacy Commissioner of Canada

Information Commissioner’s Office – United Kingdom

Office of the Privacy Commissioner for Personal Data – Hong Kong, China

Federal Data Protection and Information Commissioner – Switzerland

Datatilsynet – Norway

Office of the Privacy Commissioner – New Zealand

Superintendencia de Industria y Comercio – Columbia

Jersey Office of the Information Commissioner

CNDP (Commission Nationale de contrôle de la protection des Données à caractère Personnel) - Morocco

AAIP (Agency for Access to Public Information) - Argentina

INAI (National Institute for Transparency, Access to Information and Personal Data Protection) - Mexico