Blog details

Web Scraping is almost always unlawful under the GDPR

Web Scraping is almost always unlawful under the GDPR

Under the GDPR, web scraping is almost always unlawful, except for in very few exceptional cases. 


The automatic collection and storage of information from the Internet is referred to as web scraping. Through this process, a computer program automatically extracts data from the internet, for example by scanning social media platforms. Scraping involves the rapid gathering of personal data from numerous individuals. This data collection, which often involves personal information, raises significant privacy concerns. The information collected by scraping may encompass various aspects of a person’s life, including sensitive personal data, as well as criminal records. Data of this nature should always be protected from unauthorised collection and use. The Dutch Data Protection Authority recently released guidance, clarifying that in the majority of cases, this process is considered unlawful under the GDPR. 


Under the GDPR, most cases of web scraping are strictly prohibited.


According to the recently released guidelines from the Dutch DPA, private individuals and private parties are in most cases, not authorised to engage in scraping. In order to legally engage in web scraping, these groups must adhere to very strict limitations. The Dutch DPA makes it clear that only specific types of data may be targeted, in the event an individual or entity is participating in web scraping. It is unlawful to scrape the internet to create profiles of people and then resell them. In addition, scraping information from protected social media accounts or private forums is strictly prohibited. Organisations are also not allowed to scrape data from public social media profiles, with the aim of determining whether or not those people are eligible for a service like insurance, etc.


The GDPR does not apply to domestic web scraping, and also allows for very limited web scraping by organisations.


Web scraping may be permitted in exceptional cases. For example, when a private individual uses web scraping for casual reasons, like for a hobby project, and only shares the results with a few friends, this is considered to be a case of ‘domestic use’. The GDPR does not apply to domestic scraping and so this is therefore allowed, provided this project only targets specific, limited data. Web scraping by private organisations and private individuals is only possible on the basis of legitimate interest. The Dutch DPA makes it clear that scraping should never be used for the sole purpose of making money. Scraping by a business or organisation may be permitted under the GDPR, if it is done in a very targeted manner. If an organisation scrapes the websites of news media to gain insight into relevant news about its own company, for example, this is not considered illegal. While web scraping may be allowed in the few aforementioned cases, it is important to note that very strict conditions apply, and that these conditions are difficult, and almost never possible to meet.


The Dutch DPA clarifies that the public availability of information online, does not make it lawful to scrape the internet for this information. 


Due to the widespread public availability of information on the internet, some organisations may be under the misconception that scraping the internet for this data is allowed, as this information is readily available to everyone. The Dutch DPA clarifies, however, that just because information is publicly available, does not make it lawful for an organisation to scrape the web for this data. “… the fact that information about you is public does not automatically mean that you also give permission for scraping,” says Aleid Wolfsen, chairman of the Dutch DPA. ‘Even if you post on your social media account that you recently won the lottery or had an operation, you do not give permission for that data to be scraped. You only give permission to collect personal data if you have been asked in advance. That is usually not possible with scraping.’


 As Dr Bostjan Makarovic, Managing Partner of Aphaia, asserts,“The Dutch DPA’s guidance confirms many privacy professionals’ earlier scepticism over web scraping as an indiscriminately data processing practice that has gradually become widespread and therefore almost normalised.”

In an era of heightened data concerns, ensuring compliance with data privacy acts is paramount. At Aphaia, based in London, Madrid, and now Rotterdam, we understand the challenges your organisation may face in navigating the intricacies of these regulations. Take that first step today, and let’s build a secure future for your organisation together. Contact Aphaia today.

Prev post
Facial Recognition Technology: legal clarification from the Netherlands DPA
May 9, 2024
Combat the threat of cyber attacks
Next post
Combat the threat of cyber attacks: A call to action from the ICO
May 23, 2024