data protection
SCRAPE FEAR
Tom Lingard and Aidan Grant of Stevens & Bolton LLP explain
why you can’t just scrape by when it comes to data protection.
T
here’s no doubt that in
today’s world Big Data
means big business and
it’s no surprise that,
in order to capitalise
on this information, companies are
turning to alternative methods to
learn more about their customers.
One option is to use software
which extracts information from
websites via data scraping and then
presents the data on a sophisticated
dashboard for the company. Indeed,
so popular is data scraping today
that analysis conducted by Sentor
in its annual ScrapeSentry report
concluded that 23 per cent of all
Internet traffic in 2013 could be
attributed to the activity.
Given the increasing use of
such techniques in a company’s
marketing analysis it is important
to pause and take stock of the
legal issues involved in collecting
customer information in this way.
Obtaining the data
Many websites have express
provisions in their terms and
conditions dealing with data
scraping. Twitter’s Terms of Service,
by way of example, state that:
36
‘scraping the Services without the
prior consent of Twitter is expressly
prohibited’. This would appear to be
a clear prohibition of data scraping
of any kind without consent;
however the legal position is not as
straightforward as these terms and
conditions suggest.
The landscape of database
protection shifted in 2015 with the
ECJ case of Ryanair v PR Aviation.
Previously companies were able to
rely on (i) copyright, (ii) database
rights – both provided for under
the EU’s Database Directive – and
(iii) their own website’s terms and
conditions. Following Ryanair,
companies can no longer protect
themselves with these IP rights
in conjunction with terms and
conditions; if websites are protected
by copyright or database rights then
companies are not permitted to
restrict data scraping in their terms
and conditions.
Conversely, if companies cannot
prove that their website attracts
such rights, then they are permitted
to prohibit data scraping. The latter
scenario may allow a company to
promote a blanket ban on scraping,
but any prohibition will still rely on
the company being able to enforce
its terms and conditions; in other
words by demonstrating that there
has been a breach of contract. The
problem is that the binding nature of
online terms and conditions has not
been dealt with directly in the UK
courts yet.
The Information Commissioner’s
Office (ICO) published guidance in
2013 suggesting that best practice
should be for a user to actively
confirm their consent by ticking a
blank box (ie. an opt-in agreement).
Companies who are reluctant to
require users to consent in this
way – in the fear it will put off users
and turn away traffic – may soon
find themselves faced with a lack
of protection against their database
being scraped.
Collating the data
Although obtaining individuals’
information from separate
sources raises a number of legal
questions in itself, collating the
data in one place and then using
the results gives rise to further
issues. The central consideration
here is whether individuals have
granted consent to information