data protection
about themselves being gathered,
particularly where they can be
personally identified from the
information.
The Data Protection Directive
defines consent as ‘any freely given
specific and informed indication
of (a user’s) wishes by which (a
user) signifies his agreement to
personal data relating to him being
processed’. Facebook stipulates in
its Data Policy that it shares user
data for ‘advertising, measurement
and analytics services’, a policy
which all users must agree to prior
to creating an account. Arguably
then, every Facebook user has
consented to Facebook permitting
data scrapers to acquire their
information. This is important
because, under the Data Protection
Act 1998, it is an offence to obtain
or disclose personal data without
the consent of the data subject;
‘personal data’ in turn is defined
in the Act in general as data which
relates to a living individual who can
be identified from that data.
The issue faced by these data
scraping programs is that, whilst
details obtained from one website
may in isolation not be sufficiently
‘personal’ to constitute personal data,
when data from multiple websites
is aggregated the company may
inadvertently find itself in possession
of personal data without the consent
of the individual concerned.
As a hypothetical example, a
program might collate the Twitter
usernames of everyone who has
retweeted a company’s tweets
in the last 12 months. This data
may not in itself be sufficiently
personal to allow individuals to be
identified and so not breach data
protection rules. If the software then
scrapes Facebook and a user has
referenced their Twitter account on
Facebook, when the Facebook and
Twitter data is read together the
company may now inadvertently be
in possession of data from which
an individual can be identified – ie.
personal data. Under the websites’
terms and conditions the software
may have conducted perfectly legal
data scraping but someone using
the results may find themselves in
breach of data protection rules as
they don’t have permission from the
individual to use the personal data.
consented to being sent such
communication. In addition to such
a fine, a company may find itself
faced with calls from individuals
for compensation for distress. In
2015 the Court of Appeal backed
consumers in Google vs. Vidal-Hall
by confirming that, in order to bring
a claim for distress, an individual
does not even need to show
financial loss. Indeed since 2010
the ICO has issued fines totalling
over £6,400,000 for breaches of
the Data Protection Act.
Using the data
Having collated sufficient
information on individuals to build up
a directory of customers, a company
may be tempted to use the
information for marketing purposes,
rather than analytics alone. Even if
the information doesn’t constitute
personal data, the company may
be in possession of sufficient detail
to allow it to contact the individual.
Companies considering such
activities should be aware that the
consent required from individuals
to collate their personal data is
distinct from the consent to be
sent unsolicited communications.
Under the Privacy Regulations an
individual recipient of unsolicited
emails or automated calls must have
given their prior consent to being
contacted and the consent must
have been given to the sender.
The dangers of overstepping
data protection rules should not
be taken lightly: in December
2015 the ICO fined the Telegraph
Media Group £30,000 for
sending unsolicited marketing
communications to its readers
during the 2015 General Election.
The ICO held that none of the
Telegraph’s readers had specifically
Many websites have express provisions
in their terms and conditions dealing with
data scraping.
What should be done?
These issues should serve as a
warning to companies engaging in
such activities to check carefully
what information these programs
collate and that the necessary
consents have been obtained from
each source. Companies should not
assume that, simply because the
software has the necessary licences
and consents to be used, they
themselves can be covered by the
same consents. The data needs to
be considered not only as separate
sets of data, but holistically to ensure
that, if necessary, consent has been
obtained from individuals for the
collation of their personal data and
an agreement to be contacted as
part of a marketing campaign.
37