-A Legal Consultancy firm wants to access all the names and contact details of Solicitors in UK.
-A marketing agency needs contact details of potential customers so it can promote products/services to them, be it via e-mail , phone or post.
In all these circumstances, the business in question will need access to vast amounts of data. This is where web-scraping technologies prove invaluable because they enable extraction of huge volumes of data from websites. This scraped data may include personal data; names, e-mails or postal addresses.
When personal data is scraped from the web, GDPR applies because it is processing of personal data. Article 14 GDPR requires the data controller to provide privacy notice to data subjects whose data were scraped from the web.
In some circumstances, the data controller only collects the postal address, phone numbers or the names of data subjects and does not have their e-mail addresses.
While providing privacy notice by e-mail is the most convenient for data controllers, sometimes the e-mail addresses aren’t available to web-scrapers so that contacting them via phone or mail are the only options. This makes informing data subjects quite cumbersome because these methods drain financial and human resources of the business.
Due to these factors, data controllers will likely rely on exemption provisions to not provide privacy notices to individuals.
This article will answer the question:
Can Data Controllers (web-scrapers) be exempt from the requirement to provide privacy notice if doing this is high-cost and it drains company resources? If they can, how?
- PROVIDING PRIVACY NOTICE UNDER ARTICLE 14
a) What information to provide?
When a web scraper scrapes personal data from the web, article 14 GDPR applies because these data are collected from publicly-available resources.The privacy notice must provide information such as:
-Name and contact details of controller;
-Purposes of data collection; have you collected it for marketing/research purposes or etc.
-The legal basis to collect the data.
-Categories of personal data collected.
-Explaining the source from which data is collected.b) Timing
When you collect personal data through web-scraping, you must inform the data subjects within a reasonable time frame; in any case not exceeding one-month.
However, when you first contact the individual, be it through phone or e-mail, you must provide privacy notice to them at this time at the latest.
2. EXEMPTIONS FROM THE OBLIGATION TO PROVIDE PRIVACY NOTICES
While the rule is to inform the data subjects according to article 14, this obligation is not absolute and there are circumstances which exempt the data controller:
(i)Where providing privacy notices proves impossible (in particular for archiving, scientific/ historical research or statistical purposes);
(ii) Where it would involve a disproportionate effort (in particular for archiving, scientific/ historical research or statistical purposes).
(iii)Where providing the information required under Article 14.1 would make the achievement of the objectives of the processing impossible or seriously impair them.”
The first two exemptions are likely to be relevant for web-scraping while the third exemption is unlikely to be useful.
It is hard to contemplate a scenario where you can rely on ‘impossibility’ because your ability to provide privacy notice is either technically possible or not; there is no grey area. Only if you lose all the contact data in your database and you have no back-ups, you may be exempt.
– Disproportionate effort
‘Disproportionate effort’ assessment requires a balancing exercise.
As EDPB Transparency guidelines illustrates:
“you should carry out a balancing exercise to assess the effort involved for the data controller to provide the information to the data subject against the impact and effects on the data subject if he or she was not provided with the information.”
While carrying out this balancing exercise, data controllers consider factors such as ‘age of data’, ‘number of data subjects affected’ and ‘appropriate safeguards implemented’.
3. POLISH DPA CASE
In a case decided by Polish DPA, a marketing agency scraped personal data of approximately 7 million individuals such as names, addresses and e-mails of sole traders and lawyers from publicly accessible registries.
However, some of these individuals’ e-mail addresses were not accessible. The agency only had the e-mail addresses of around 700,000 people and sent them a privacy notice. The Agency only had the addresses or phone numbers of remaining individuals.
Considering that sending a privacy notice to each individuals’ address would cost as much as its yearly revenue, the Agency decided to only publish an announcement on its website by relying on ‘disproportionate effort’ exemption.
The Polish DPA rejected this argument because:
-High costs does not equal to disproportionate effort; cost does not justify escaping the obligation to provide privacy notice to data subjects.
-Data subjects will not be able to discover data-scraping activity on their own, announcement on the website is not sufficient to inform them.
4. CRITICISM OF POLISH DPA DECISION-RETHINKİNG THE DISPROPORTIONATE EFFORT
This decision adopted a very restrictive interpretation of the concept of ‘disproportionate effort’ and misinterpret this exemption. Following are criticisms to the decisions and suggestions for interpreting the ‘disproportionate effort’ correctly:
- The Authority should have carried out the balancing exercise
- The ‘disproportionate effort’ exemption requires balancing exercise between the effort needed to fulfill the obligation and the impact that the processing will have on data subjects.
- The Authority did not address the degree of risk to the rights and freedoms of data subjects. It directly jumped to the conclusion that high costs or time required to fulfill obligation cannot justify relying on disproportionate effort exemption.
- Applying encryption and pseudonymization techniques and processing the scraped personal data in compliance with GDPR would make the effect on individual minimum; tipping the balance in favor of justifying the exemption. The lesser the effect on individuals, the easier to justify relying on this exemption.2. Financial costs, time and human resources required to fulfill the obligation is still relevant
- Even though high costs or excessive expending of human resources alone cannot justify relying on this exemption, they must be considered in the balancing exercise alongside other factors such as number of data subjects, nature of data and appropriate safeguards implemented.
- For example, assume that appropriate measures such as encryption and pseudonymization are applied and data is not shared with third parties. Furthermore, providing privacy notice costs almost yearly revenue and takes months to complete. In this scenario, the risk to data subjects is almost zero and yet fulfilling the obligation will drain the resources of the data controller excessively. Hence, balancing exercise should favor not providing privacy notices to data subjects in such scenario.
3. Impossibility and disproportionate effort should not be confused
- The decision gives the impression that since the Agency can inform millions of data subjects by phone calls or mails, it cannot rely on disproportionate effort exemption because it is technically feasible to fulfill its obligation; high costs and operational burdens don’t justify exemption.
- While impossibility exemption applies if there is absolute inability to contact data subjects because the data is either unavailable and cannot be retrieved, disproportionate effort exemption requires a balancing exercise between the effort and impact. In disproportionate effort, informing each data subject is technically possible but the effort needed to achieve that is excessive compared to the degree of impact on individual.
- The Authority rejected the argument that high costs and operational burdens such as time and human resources expended can amount to disproportionate effort because the marketing agency simply can pay for the mail costs and inform data subjects.
- This approach confuses the disproportionate effort with impossibility: Data controller certainly can fulfill its obligations even by taking a loan or hiring thousands of people to make phone calls at the risk of going bankrupt. It is always possible. The issue is with regards to the effort it requires to fulfill the obligation and its weighing against the impact on data subjects.4. Putting a notice on website or an ad on newspaper are not substitutes to the obligation to provide privacy notice
- The decision treats putting a notice on website as a potential substitute to the obligation to provide privacy notice to individuals.
- Putting privacy notice on the website or running an ad on newspapers are not substitutes to fulfilling the obligation to provide privacy notice. Making the information publicly available is an appropriate measure to be implemented just as encryption; it will only be relevant in the balancing exercise.
By Ali Talip Pınarbaşı
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.