January 28, 2021

Volume XI, Number 28


January 27, 2021

Subscribe to Latest Legal News and Analysis

January 26, 2021

Subscribe to Latest Legal News and Analysis

January 25, 2021

Subscribe to Latest Legal News and Analysis

French DPA Issues Guidance Surrounding Practice of Web Scraping

On April 30, 2020, the French data protection authority, the CNIL, published a guidance surrounding considerations behind what it calls “commercial prospecting,” meaning scraping publicly available website data to obtain individuals’ contact info for purposes of selling such data to third parties for direct marketing purposes.  The guidance is significant in two respects.  First, it speaks to the CNIL’s view of this activity in the context of the GDPR and privacy concerns.  Second, beyond the context of direct marketing related privacy issues, the guidance lays out some guiding principles for companies that conduct screen scraping activities or hire outside vendors to collect and package such data.

Privacy Concerns

Based on its investigation into commercial prospecting, the CNIL guidance noted that some entities are scraping individuals’ phone contact information posted on online directories or listings, even though such individuals may not have given consent for such collection and subsequent reuse for marketing solicitations. The guidance states that although such contact information is from publicly accessible websites, the individuals who posted the information did not reasonably expect to have it scraped for “prospecting,” and as such, the contact information is still “personal data” under the GDPR and cannot be re-used for marketing without the consent of the data subject.

The guidance notes that such consent should be obtained prior to any reuse of the data for marketing purposes and must be freely given, specific, informed and unambiguous. The CNIL states that the acceptance of the terms of general conditions mentioning that the individual accepts to receive marketing communications is insufficient, as it not specific. In addition, the CNIL notes, the individuals’ rights under the GDPR must also be complied with, such as the right for an individual to oppose to the processing of their data and the need to provide appropriate information to the individual as to the processing of their data (the business reusing the data should in principle make a privacy policy available to the concerned individuals).

With the release of this guidance, the French data protection agency (a “DPA”) has quietly confirmed that web scraping involving the collection of personal data, even from publicly available websites, implicates the need to conform with the GDPR and requires that companies (and their vendors) perform needed compliance.  This is not the first time that a European DPA has investigated data scraping activities.  In March 2020, the Polish DPA issued its first fine under the GDPR against Bisnode, a Swedish-headquartered company that specializes in business intelligence and data analytics. Apparently, Bisnode had scraped data from publicly available government databases about individuals’ prior registrations as sole proprietors and other related corporate activities and produced certain reports for its clients.  To fulfill certain requirements under the GDPR, Bisnode had sent emails to affected individuals with known addresses (and posted notices on its website), but it failed to send postal notification to millions of other individuals or entities due to the administrative cost and burden of doing so.  The Polish DPA issued a fine for such a violation. Instead of complying with mailing millions of notices, Bisnode reportedly stated it would delete the data at issue, and appeal the Polish DPA’s order.  Regardless of the outcome, data scraping is something that EU regulators are beginning to keep an eye on.

General Concerns About Scraping

As we’ve stated on multiple occasions, it is important for downstream recipients of anonymized web or user data or analytic reports breaking down such data to understand how such data is collected and processed and whether such data collection is done according to applicable law or contractual requirements.  Putting aside the GDPR issues, the CNIL guidance is a timely reminder to those entities engaged in web scraping about the importance of due diligence with respect to the data collection.  The guidance also laid out some guiding principles for companies that conduct screen scraping activities or hire outside vendors to collect and package such data:

  • Understand the duration of the web scraping and data processing activities

  • Know the origin of the scraped data and whether the website from which the data is collected restricts its collection and commercial reuse

  • Minimize the collection of personal data, and refrain from collecting any data that is irrelevant for the expected purpose of the data extraction

  • Inform individuals affected by the collection of any personal data

  • Carefully oversee vendor relationships concerning the nature of the data processing and any privacy and data security obligations. The CNIL suggests that service contracts should comply with certain GDPR requirements and, among other things, should specifically outline the nature of the data collection activities, including the purpose of the processing and the types of personal data collected (if any).

  • Conduct a data protection impact assessment (DPIA), if appropriate

© 2020 Proskauer Rose LLP. National Law Review, Volume X, Number 134



About this Author

Jeffrey D Neuburger, Proskauer Rose Law Firm, Technology Attorney

Jeffrey Neuburger is co-head of Proskauer’s Technology, Media & Telecommunications Group, head of the Firm’s Blockchain Group and a member of the Firm’s Privacy & Cybersecurity Group.

Jeff’s practice focuses on technology, media and intellectual property-related transactions, counseling and dispute resolution. That expertise, combined with his professional experience at General Electric and academic experience in computer science, makes him a leader in the field.

As one of the architects of the technology law...

Stéphanie Martinier, Proskauer Law Firm, Paris, Corporate, Cybersecurity and Finance Law Attorney

Stéphanie Martinier is a senior associate in the Corporate Department, working in the Paris office.

Stéphanie advises French and international clients on the legal aspects of their investments in France. She has worked on a wide range of corporate transactions, including business acquisitions and sales (both for industrial clients and private equity funds), and joint ventures, and has been involved in the negotiation of sensitive commercial contracts. In addition, she has built long-term relationships with her clients advising them in this...

Mathilde Pepin , Proskauer, labor and employment lawyer

Mathilde Pépin is an associate in the Labor & Employment Department in Proskauer's Paris office. She previously worked as a judicial assistant at the labor chamber of the Rouen Court of Appeal, as an in-house counsel trainee at Sephora and Barclays and as a trainee lawyer at several law firms.

She advises national and international companies on all aspects of individual and collective employment issues. She also assists clients in their contentious matters. She has developed her experience on data privacy law in particular by working on the practical...