The Italian Data Protection Authority puts a stop to 'web scraping'
The term “web scraping” (also known as “data scraping”) refers to a computer technique or procedure used to collect data by automated means, without authorized permission, from a website or application. This online data collection is typically performed using specialized software that simulates the browsing activity of real users, with the objective of automatically extracting specific information from public or private domains. The data acquired through this technique may also undergo further processing in order to create a database.
Web scraping is a widely used data collection method employed by all search engines in order to provide users with up-to-date results. Specifically, this technique is used to extract data from web pages and then collect them in databases or local tables for analysis. It is a system capable of extracting a large variety of information such as contact data, email addresses, phone numbers, as well as individual search terms or URLs.
Websites that offer users a service for comparing information from various websites like online platforms that compare prices of goods and services and aim to provide users with the ability to purchase at the most affordable price or websites may use web scraping.
The practice itself is not inherently considered illegal, but it can become unlawful if personal data of data subjects are processed for any other purposes inconsistent with the purposes for which the personal data were originally collected or authorized, such as publication of the data, commercial use, or dissemination without the free, informed, and explicit consent given by the involved individuals.
Therefore, unauthorized collection of personal data through illegitimate access to databases using web scraping can have significant legal implications in certain cases.
A recent order issued by the Italian Data Protection Authority
On this matter, recently, the Italian Data Protection Authority (Garante per la protezione dei dati personali, “Italian DPA”), with the Order No. 201 of 17th May, 2023, has prohibited the owner of a website (the “Website”) from creating and online disseminating a telephone directory formed by “scraping” data through web scraping and has imposed a fine of €60,000. Specifically, the current Italian regulatory framework does not allow the creation of generic phone directories that are not extracted from the unique database containing phone numbers and identifying data of customers from all national fixed and mobile telecommunication operators (elenco telefonico generale, “ETG”).
In relation to the Website, over the years, the Italian DPA has received various claims regarding the unauthorized publication of names, addresses, and telephone numbers, including those of holders of private phone lines. According to the claims, in some cases, the publication also involved personal data of data subjects who had specific privacy concerns regarding their phone number and address and some of them had indeed claimed to be owners of private phone numbers, meaning they were not listed in the ETG, emphasizing that, due to reasons related to their professional activities, the dissemination of their personal contact information posed a significant risk to their own safety and that of their family.
After the Italian DPA’s investigations, the Authority found that the Website owner did not have determined an appropriate legal basis for processing the personal data.
Moreover, the effects of such unlawful processing are further amplified by the fact that the published data is indexed by a well-known search engine and further disseminated.
Regarding the creation of telephone directories, reference is made to the special regulations established under Article 129 of the Legislative Decree No. 196/2003, as amended by Legislative Decree No. 101/2018 (the “Privacy Code”), implemented in compliance with Article 12 of EU Directive 2002/58/EC, which is given effect through specific decisions by the Italian DPA and the Italian Authority for the guarantee of telecommunications (“AGCOM”).
In particular, according to these provisions, the creation of telephone directories is permitted exclusively in the manner described by AGCOM Resolution No. 36/02/CONS (available only in Italian) and No. 180/02/CONS (available only in Italian), which have established the methods and rules for the implementation of the general telephone directory service.
Moreover, the Italian DPA (with the decisions No. 1032381, of 15th July, 2004), concerning “alphabetical” telephone directories of the universal service, clarified that only the creation, distribution, and dissemination of directories, in any form they are created, based on consultation and access to the universal service database is permitted. Furthermore, the entering of personal data in such directories requires the explicit, free, specific, informed, and documented written consent of the contracting parties.
Considering the above, it is not legitimate to create a telephone directory, whether online or paper-based, using data that is not contained in the universal service database, since this is the only source being directly supplied and updated by operators providing telephony services and it is the only one that is capable of ensuring the accuracy and currency of the data while documenting the intent of the individuals to make them public.
Moreover, the Website did not specify how to contact the data controller, and there was no chance for individuals to request the rectification of inaccurate data or their deletion. Even in the short privacy notice published, the Website owner's identity was not indicated, and this made it difficult to identify the liable party.
Therefore, the Italian DPA deemed the collection, storage, and dissemination of personal data to be unlawful and imposed a fine to the Website owner.