There was some pretty big news this week from the Office of the Privacy Commissioner of Canada, which sent a letter, signed by a consortium of other international data protection authorities, to social media giants.
They are telling platforms they have to do more to stop illegal use of their sites. It is, in many jurisdictions, illegal to scrape data even if it is available on a social media site. Clearview AI got into trouble in Canada for doing exactly that as part of its efforts to build facial recognition software.
On the surface at least it looks like instead of going after the organizations and companies that are performing these illegal activities, this global group of DPAs is telling the social media platforms they have to do something to stop these bad actors from scraping. They aren't alleging the social media companies are doing anything illegal — just that they should do more to prevent the illegal activity from happening.
The document sets out several steps social media companies and other websites that host publicly accessible personal information should take to mitigate the risks to individuals. These include:
- Designating a team and/or specific roles within the organization to identify and implement controls to protect against as well as monitor and respond to scraping activities;
- Monitoring how quickly and aggressively a new account starts looking for other users to detect abnormally high activity that may indicate unacceptable usage;
- Taking steps to detect bots and blocking IP addresses when data scraping activity is identified; and
- Taking appropriate legal action in cases where data scraping is suspected or confirmed.
I am curious as to what you folks think about this. Is it the social media platform's responsibility to invest resources to police scraping and ensure everyone abides by the rules?
On the one hand, I think the regulators take the view that organizations making these spaces available — and therefore the potential for use and abuse — means they bear a certain responsibility for issues like this. Seems like one could also argue that the DPAs are asking the social media platforms to do their jobs of investigating privacy violations for them.
I wonder how smaller social media sites, without deeper pockets, will be able to comply with these expectations. I'm also curious as to whether there are simple technological solutions to help with this problem or whether the ask from regulators is much more complex.
Anyway, a joint international call to action like this usually means the regulators are hearing about and seeing a global problem. I think privacy pros will watch this one with quite a bit of interest and hopefully there will, in the end, be some practical and effective solutions to tackle it.