The Italian Data Protection Authority sanctions web scraping: the case of the portal Trovanumeri.com

The Garante Privacy recently banned web scraping and sanctioned the portal Trovanumeri.com for raking up online users in order to create lists. These violations involved as many as 26 million users, causing great concern for the protection of personal data. Concerns that culminated in a measure issued on 17 May by the Garante, which prohibited the website operator from creating and disseminating a telephone directory obtained through web scraping, a technique that consists in extracting data from one or more websites using special software programmes.

THE ISSUE

In this particular case, numerous reports were submitted to the Garante Privacy concerning the unauthorised publication of names, addresses and telephone numbers of individuals without their consent. Moreover, according to the reports, in some cases, the publication also concerned personal data of persons who had special confidentiality requirements concerning their telephone number and home address: some complainants had in fact represented that they were holders of confidential telephone numbers, i.e. not published in the general telephone directory.

Finally, several subjects complained that no indication (not even the information required by law) of the owner of the site could be found in the website and in the brief privacy policy published therein, thus making it impossible to identify the data controller.

THE VIOLATIONS 

Dissemination of personal data in the absence of an appropriate legal basis and processing in breach of the law

The processing consisting in the de facto creation of a telephone directory was deemed by the Data Protection Authority to be in breach of the law, resulting in the dissemination of personal data on the Internet in the absence of a suitable legal basis. It is important to emphasise that it is not legitimate to form a telephone directory, whether online or on paper, with data that are not taken from authorised sources, such as telephone operators’ databases. Only such a source can guarantee the correctness and up-to-dateness of the data, as well as document the willingness of those concerned to make them public.

Investigations revealed that the trovanumeri.com website also made reverse search available, but did not allow users to give free and specific consent for this functionality. The consent flag was in fact pre-selected and not modifiable, thus violating the requirements of the law in force.

It is also important to emphasise that the owner of the site had stated that the data on its websites had been collected through autonomous user input or through web scraping, i.e. through an automated process of searching for personal data on the web. This technique, however, had already been deemed unlawful by the Data Protection Authority in a ruling sanctioning the unlawfulness of the use of data collected through web scraping for purposes incompatible with the original purpose. Therefore, data acquired and processed without the consent of the data subjects and without a valid legal basis constitute a breach of privacy law.

Failure to respect data subjects’ rights, inadequate information and absence of safeguards

The reports received highlighted not only the unauthorised dissemination of data, but also the impossibility for data subjects to exercise their right to erasure and, potentially, other data protection rights. In fact, the website did not contain any information on the data controller and no contact channels with the data controller were available. 

Non-compliance with the processing Injunction

Finally, despite the prohibition ordered by the Garante Privacy, the Trovanumeri.com portal continued to operate and make available online numerous personal data. This non-compliance with the ban was further challenged as a breach of the provisions of the regulator.

CONCLUSIONS AND CORRECTIVE MEASURES TAKEN

The processing of personal data by Trovanumeri.com was found to be unlawful and to have numerous profiles of illegality. Even if some of the violations can be corrected, the main violation concerning the absence of an appropriate legal basis is sufficient to invalidate the entire processing. Therefore, the corrective measures taken must address the underlying issue and ensure that personal data are processed in compliance with privacy legislation.

In conclusion, the Trovanumeri.com portal case highlighted the importance of personal data protection and the negative consequences of unauthorised web scraping. The Garante Privacy has adopted sanctioning measures to ensure that users’ rights are respected and that data are processed in compliance with the law. This case is a reminder to companies and websites that process personal data, underlining the importance of regulatory compliance and respect for users’ privacy.