DCN May 2016 - Page 36

data protection SCRAPE FEAR Tom Lingard and Aidan Grant of Stevens & Bolton LLP explain why you can’t just scrape by when it comes to data protection. T here’s no doubt that in today’s world Big Data means big business and it’s no surprise that, in order to capitalise on this information, companies are turning to alternative methods to learn more about their customers. One option is to use software which extracts information from websites via data scraping and then presents the data on a sophisticated dashboard for the company. Indeed, so popular is data scraping today that analysis conducted by Sentor in its annual ScrapeSentry report concluded that 23 per cent of all Internet traffic in 2013 could be attributed to the activity. Given the increasing use of such techniques in a company’s marketing analysis it is important to pause and take stock of the legal issues involved in collecting customer information in this way. Obtaining the data Many websites have express provisions in their terms and conditions dealing with data scraping. Twitter’s Terms of Service, by way of example, state that: 36 ‘scraping the Services without the prior consent of Twitter is expressly prohibited’. This would appear to be a clear prohibition of data scraping of any kind without consent; however the legal position is not as straightforward as these terms and conditions suggest. The landscape of database protection shifted in 2015 with the ECJ case of Ryanair v PR Aviation. Previously companies were able to rely on (i) copyright, (ii) database rights – both provided for under the EU’s Database Directive – and (iii) their own website’s terms and conditions. Following Ryanair, companies can no longer protect themselves with these IP rights in conjunction with terms and conditions; if websites are protected by copyright or database rights then companies are not permitted to restrict data scraping in their terms and conditions. Conversely, if companies cannot prove that their website attracts such rights, then they are permitted to prohibit data scraping. The latter scenario may allow a company to promote a blanket ban on scraping, but any prohibition will still rely on the company being able to enforce its terms and conditions; in other words by demonstrating that there has been a breach of contract. The problem is that the binding nature of online terms and conditions has not been dealt with directly in the UK courts yet. The Information Commissioner’s Office (ICO) published guidance in 2013 suggesting that best practice should be for a user to actively confirm their consent by ticking a blank box (ie. an opt-in agreement). Companies who are reluctant to require users to consent in this way – in the fear it will put off users and turn away traffic – may soon find themselves faced with a lack of protection against their database being scraped. Collating the data Although obtaining individuals’ information from separate sources raises a number of legal questions in itself, collating the data in one place and then using the results gives rise to further issues. The central consideration here is whether individuals have granted consent to information