On 30 April 2020, the French data protection authority (Commission Nationale de l’Informatique et des Libertés or CNIL) issued guidance (in French) on how to reuse personal data publicly available online for commercial prospection purposes.
The guidance clarifies certain issues and sets out best practice. But the reality is that, with the consent of each data subject needed, reusing the data remains difficult.
Publicly available data are and remain personal data
The CNIL says that it has received numerous complaints about companies collecting personal data available online for commercial purposes. The Commission points out that, even though these data are publicly available, they are personal data. As such, they cannot be freely reused by data controllers and they cannot be reused without the individual data subject’s knowledge.
Consent key to the re-use of publicly available online data
According to the CNIL guidance, before reusing an individual’s data, controllers generally need to obtain consent that is freely given, specific, informed and unambiguous.
This prior consent shall be obtained:
- when individuals have shared their data with a particular data controller and do not expect their data to then be used for commercial purposes by another controller; and
- when companies reuse data that are publicly available online to promote their products and services via email or automated calls.
Data controllers also need to comply with the right to object as laid out in the EU General Data Protection Regulation (GDPR). When companies market their products and services via other means, eg by human, non-automated phone calls, the data of individuals registered on ‘Do Not Call’ lists shall also not be collected, and software is supposed to be set up accordingly.
The CNIL also emphasises that when using data extraction software, data controllers need to:
- check the nature and source of the data;
- comply with the data minimisation principle;
- inform data subjects about the data processing;
- ensure that the data processors they use also comply with data protection principles; and
- if needed, carry out data protection impact assessments.
Finding pragmatic solutions on a case-by-case-basis
In theory, the CNIL’s guidance seems reasonable but, in many cases, is difficult to follow in practice, particularly as data controllers must get consent from every individual affected and provide them with comprehensive privacy notices.
Therefore, it is necessary to assess, on a case-by-case basis, whether further technical, organisational or contractual safeguards may be implemented to make data scraping possible even in cases where consent is not obtained. This would particularly apply where data is scraped to generate insights without linking to any identifiable individuals.