Recruiters - Taking Candidate Data From Social Media Sites
Why do some websites ask us to verify that we are humans before we can access them?
Aside from for machine learning purposes, it is also because many website owners want to ensure that we are not just a computer looking to scratch the surface of the website to obtain valuable data- a process known as “data-scraping” - and social media platforms are no exception.
Whilst a useful tool for some companies, it is also a risky business and opens you up to many legal issues, related to database right infringement, copyright infringement, potential breach of a website’s user terms and conditions - and of course, privacy, GDPR and data protection issues.
A recent case in a US Appeal Court regarding scraping data from LinkedIn has got us wondering: when is it okay to use data-scraping from a privacy perspective?
Do I Carry Out Data-Scraping?
Data-scraping is the practice of electronically and obtaining publicly available data from online sources. This might involve contact scraping to get email addresses, competitor monitoring to see how much other companies are charging for their services, or reputation monitoring to review comments being made on social media platforms about competitors. Indeed, such practices are common in many industries, and in our experience, are particularly prevalent by sales teams, consultancy and contractor staffing companies and recruitment agencies.
It might not be immediately obvious when you are using data-scraping practices. If you engage in recruitment drives, trend identifications, marketing campaigns, sales or lead generation, it is likely you will scrape data to enhance your database, particularly when you are using third-party technology (such as plug-ins or apps to do so).
Data-Scraping in the US
An appeal case concerning the lawfulness of data-scraping recently came before the US Courts.
Data company hiQ Labs Inc used data-scraping on public profiles which could be accessed publicly on LinkedIn. The LinkedIn Corporation argued that under the Computer and Fraud Abuse Act (CFAA), which says that a computer should not be accessed without authorisation, their data-scraping practices were illegal. It issued a cease and desist letter on the company arguing that it was violating the LinkedIn user agreement, Californian law and US federal law. It also attempted to technically block the data-scraping being carried out on its site.
In response, hiQ sought a preliminary injunction against LinkedIn, with the first instance Court agreeing that hiQ should be allowed to carry out the data-scraping. It ordered LinkedIn to allow hiQ to access the data, which lead to LinkedIn appealing to the Ninth Circuit Court of Appeals.
The Court of Appeals considered that hiQ Labs’ practices were not unlawful under the CFAA. Finding in favour of the data analytics company, the Court of Appeals explained that the CFAA contemplates information which is not publicly accessible, for example, password encrypted files. It would only have been unlawful for hiQ to access confidential information, such as private profiles.
The Court of Appeals disagreed with LinkedIn’s argument that it was seeking to protect users’ privacy rights by stopping the data company from scraping data, pointing out that there was already little or no expectation of privacy for users of the LinkedIn platform who have made their personal profile public.
In the decision, we see the Court of Appeals balancing privacy rights in the US: it expressed concerns about giving large companies like LinkedIn free reign to decide who can collect personal data and how they can use it, especially since LinkedIn does not own the data itself. It worried about the creation of information monopolies that would disserve the public interest.
Data-Scraping in the UK
On the other side of the pond, as we have seen in our article published in the Journal of Social Media in Society, the data protection laws in Europe tend to be stricter than those in the US, due to the General Data Protection Regulation (GDPR, EU 2016/679). To consider European data-scraping rules in light of the approach of the Court of Appeals in the hiQ v. LinkedIn case, we have considered guidance from the British Information Commissioner’s Office (ICO).
When personal data is being collected in any shape or form, it must be collected and the subsequently stored and processed in reliance on a lawful basis. There are six lawful bases set out in Article 6 of the GDPR, and the ICO has an interactive tool to help you work out which lawful basis you should use.
The options are: consent; a contract with the data subject; compliance with a legal obligation; vital interest; public interest; and legitimate interest.
Consent will normally not be an option as most individuals are likely to not have clearly, specifically and unambiguously consented to their data being scraped.
The justification of processing personal data as being in your legitimate interests is a useful one as it is flexible and can apply to a wide range of different situations. It can also give you more control than relying on consent, where a person might withdraw and change the terms of your agreement at any time or easily withdraw their consent, rendering your continued processing of their personal data potentially invalid. However, the ICO has also pointed out in guidance that while it is an often-relevant concept, it will not apply all the time and should not be relied on as a default basis, and must not be used if your legitimate interests outweigh the individual’s fundamental privacy rights and freedoms.
It is recommended to apply a 3 part test to ascertain whether you are able to rely on legitimate interests in your particular circumstances. To help, we have applied the test to a hypothetical scenario- where you may be scraping candidate data for a job role:
Purpose test- identify what your legitimate interest is- are you collecting selected candidate details for a specific role?
Necessity test- consider if the processing is necessary- are there any other ways that you could get this information less intrusively?
Balancing test- balance the individuals own interests against yours- is it clear they have no interest in receiving communications from you? Are you sure that they have an interest in gaining employment? An important way to judge this is by checking if candidates have the “open to recruiters” button checked.
The same rules apply to data-scraping as with most practices involving personal data: businesses should only ever collect and process data that is relevant, necessary and adequate for the purposes that it is being collected for.
The ICO provides its own practical example in guidance on its website: if an individual uploads their CV to a job board website, or has ticked the “open to recruiters tab” on LinkedIn, a recruitment company could reasonably take a copy of this CV and other profile data in order to provide staffing services, since it likely to be in the individual’s, the recruitment company’s, and the recruitment company’s clients’ interests. Indeed, by taking such active steps, the individual is likely to expect, and even desire, that staffing agencies will use his/her personal data for recruitment purposes. Therefore, the legitimate interests of the parties are likely to be aligned and therefore the fundamental privacy rights of the individual are no likely to be outweighed by any data scraping activity performed on his/her profile by the recruiter.
However- in the EU, unlike in the US, guidance provides that unless an individual has manifestly demonstrated their will to have their data scraped, for example, for recruitment purposes as we have set out in our scenario above, by ticking “open to recruiters tab”, a company cannot simply assume that the individual has a reasonable exception to having their personal data taken or for it to be used by a staffing agency, or even to be contacted for work.
In this case, even if the profile is public (and as the US Court of Appeals said - privacy exceptions in this case, are at best, questionable), you cannot rely on legitimate interests for taking that individual’s data. You should therefore rely on another ground, by contacting the individual via the LinkedIn platform, asking if they require recruitment assistance or are interested in a specific role, and then only move them across to your candidate database once you have had a positive response, and where necessary, their consent to do so.
Practical Advice
Take care!
If you are operating in the US:
HiQ vs LinkedIn case certainly doesn’t mean that any website owner will not have recourse to companies carrying out data-scraping on their site. In the event of appropriation of someone else’s public content, other laws could apply- there could be copyright infringement, misappropriation, unjust enrichment, breach of contract or breach of privacy.
The broad interpretation of the US decision seems to be that it might be lawful to capture any public online data not owned or password protected by a publisher, but as always this will depend on the circumstances.
If you are operating in the EU (and best practice wherever you are based!)
Businesses should always apply tests of necessity and proportionality to data-scraping, asking whether all of the data scraped is necessary and directly relevant to achieving the intended purpose.
You must be able to explain your purpose and justify why this is in your legitimate interest, as well as demonstrate the necessity of your processing. The onus is on you to show that your interests are balanced with the individual.
Consider performing a DPIA
If the GDPR is applicable to your personal data processing activities and you intend to rely on legitimate interests to carry out data-scraping, it is probably in your interests to perform a data protection impact assessment, or DPIA.
This document evaluates all of your processing and aims to help you systematically analyse, identify and minimise the data protection risks created by your business. This can help support your obligation to ensure data protection by design, identifying risks and taking appropriate safeguards. It is also a useful instrument to demonstrate to a data protection authority that you take data protection seriously.
Right to inform individuals
Additionally, Article 14 of the GDPR sets out extra obligations around publicly available data with information to be provided where personal data have not been obtained from the data subject.
You should endeavour to provide the individual with your identity and contact details, the purposes for which you are processing personal data, the categories of data concerned and the recipients of this data within the applicable timeframes, unless you can show (and document) that it would be unduly onerous for you do to so.
Questions?
As always, if you have any questions about whether your data-scraping processes are legal or have any other data privacy issues we can help you with, please don’t hesitate to get in touch.
Article by Lily Morrison and Charlotte Gerrish @ Gerrish Legal, October 2019