Data scraping is a technique where information on one platform is exported onto another. The practice is widespread and is used for all sort of reasons, like market analysis or advertising. The kind of information located and extracted is as varied as the kind of information that exists on the internet–which is to say, anything and everything–but where it becomes particularly interesting is when personal information is being scraped.
A recent U.S. case, and a less recent case from Poland, shed some light on the current legal state of play on both sides of the Atlantic when it comes to scraping, and offer yet another data point on the different lenses through which Americans and Europeans view the processing of personal information.
In the U.S., data scraping has at times raised concerns under the Computer Fraud and Abuse Act, or CFAA. The CFAA is a federal anti-hacking statute originally passed in 1984 and amended multiple times, most recently in 2008. At its core, the law prohibits the knowing or intentional access of a computer system “without authorization,” and creates both criminal penalties and private rights of action for affected parties. Courts have addressed the question of whether data scraping falls under the kind of behavior that the CFAA prohibits: that is, whether data scraping counts as access to a computer system “without authorization.” Different circuits have taken slightly different approaches. In one notable case (United States v. Nosal, 676 F.3d 854 (9th Cir. 2012)), the Ninth Circuit viewed the CFAA’s prohibitions narrowly, distinguishing between misappropriating data and obtaining data without authorization. The court reasoned that to do otherwise would tend to transform “innocuous behavior into federal crimes simply because a computer is involved.” Other courts, like the First Circuit, have taken similar approaches, but with varying degrees of openness to the question of what an organization might do to limit scraping. See, e.g., EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58 (1st Cir. 2003).
The latest decision continues the trend of courts holding that data scraping likely does not implicate the CFAA. In hiQ Labs v. LinkedIn Corp., a Ninth Circuit panel held that hiQ’s continued scraping of personal information maintained by LinkedIn, despite LinkedIn’s cease and desist directive to hiQ, likely did not rise to the level of a CFAA violation. hiQ’s data scraping involved obtaining publicly available LinkedIn data for its corporate analytics tools. The panel reasoned that, in this case, hiQ was obtaining “information for which access is open to the general public and permission is not required.” According to the panel’s reasoning, mere fact that LinkedIn provided a cease and desist letter likely did not create an authorization bar to hiQ’s behavior.
But on the other side of the Atlantic, the picture looks different. Back in March 2019, Poland’s data protection authority fined the company Bisnode 220,000 Euros for its data scraping activities. The Polish DPA reasoned that Article 14 of the GDPR required Bisnode to inform each of the approximately 6 million individuals whose data it had obtained from publicly-available website that it was collecting and processing their data, and required them to do so. Article 14 creates a number of obligations on data controllers (that is, those entities determining how personal data is to be used) to inform individuals that their personal data is being processed in cases where those individuals have not been the ones to provide their personal information to the controller. Bisnode had attempted to meet its notification obligation through a website posting, and reasoned that to do otherwise would be so cost-prohibitive as to be disproportionate and thus unnecessary under Article 14. The Polish DPA disagreed, enforcing its literal reading of Article 14. Bisnode intends to fight the Polish DPA’s decision, so the prevailing interpretation of Article 14 is not yet final.
The contrast between the different approaches to data processing and data aggregation activities could not be more striking–even the toolkits available to regulators and consumers on either side of the Atlantic are different. Notwithstanding the CCPA’s adoption of GDPR-like data privacy rights, the future portends increasing divergence. In Europe, the European Union’s leadership is in transition and a powerful and hawkish “digital czar” is ready to take the helm. In the U.S., efforts at federal legislation relating to privacy rights appear stalled. Making sense of what this means for businesses trying to determine best practices and limit liability is as complex now as it has ever been.