Data scraping can be unlawful if it constitutes an infringement of database rights, unfair competition, a breach of contract, or a violation of data protection laws.
Database rights and unfair competition.
In the European Union, Directive 96/9/EC on the Legal Protection of Databases was adopted on 11 March 1996 (“Database Directive” or “Directive”). The Directive introduced a sui generis right for database creators. Under the Directive, database is defined as "a collection of independent works, data or other materials arranged in a systematic or methodical way and individually accessible by electronic or other means". The database right is granted to database creators who have made a substantial investment in the database and it aims to protect them from the serious economic and technical consequences that unauthorised extraction or re-use of the database content could lead to. Under the Database Directive, the database rights expire 15 years from the first day of the year following the date the database was first made available to the public. Each new substantial investment in the database extends the term for another 15 years. Under article 5 of the Directive, the author of a database has the exclusive right to carry out or authorise restricted acts, such as the communication of the database to the public, its reproduction, distribution, or adaptation. Under article 6 of the Directive, EU Member States have the possibility to define exceptions to the authors’ exclusive rights. Such exceptions include reproduction for private purposes of a non-electronic database and use of the database for illustration for teaching or scientific research.
Article L. 341-1 of the Intellectual Property Code defines the author of a database as "the person who takes the initiative and the risk of the corresponding investments, benefits from protection of the content of the database when the constitution, verification or presentation of the latter represents a substantial financial, material or human investment".
The author of a database has the right to prohibit the extraction or re-use of the content of the database. The French database right can be invoked by organisations that have their registered office, central administration or principal place of business in an EU Member State, a European Economic Area (EEA) Member State or any jurisdiction that has a reciprocal agreement with the EU. However, if the organisation has only its registered office in the other EU or EEA Member State, its activities must have a real and continuous link with the economy of one of them.
On 2 February 2021, the Paris Court of Appeal ruled in favour of LBC France SAS, a French leading company operating classified ads, including for real estate, via the website leboncoin.fr. LBC brought an action against Entreparticuliers.com after noticing that the defendant had set up a system of total, repeated and systematic extraction of the content of its real estate database. To establish the claimant's database right, the Court took into account the facts that it had invested nearly 50 million euros to feed, maintain, secure, optimise and promote its database and had hired 19 employees dedicated to the database for 1.2 million euros. In finding the infringement, the Court noted that most of the ads in the leboncoin.com real estate category were reproduced on Entreparticuliers.com, along with photographs and elements relating to the location, type of property, price and surface area of each ad. As a consequence, the defendant was ordered to pay 70,000 euros in damages.
It is worth noting that the Court of Appeal mentioned that the defendant was in direct competition with LBC in its capacity as author of the real estate sub-database.
In this respect, under general principles of French civil law (including article 1241 of the Civil Code) unfair competition, which includes commercial free-riding, can give rise to damages where the defendant's conduct has caused a direct loss to the victim. Commercial free-riding is defined by the French highest Court as "behaviours by which an economic agent intrudes into the trail of another economic agent in order to benefit from it without spending anything". In the LBC case, the defendant arguably engaged in unfair competition.
Contract law
Remedies against data scraping could be based on contract law, where the terms and conditions of a website prohibit the users from extracting data. This solution was found in Ryanair Ltd v PR Aviation BV (Case C-30/14) where the CJEU ruled that although Ryanair's published fares were not protected by copyright or database rights, PR Aviation BV which operated a flight comparison website by extracting Ryanair's (and other airlines') data, had breached the terms and conditions of Ryanair's website. Such terms and conditions provided that the
“use of automated systems or software to extract data from this website or www.bookryanair.com for commercial purposes, (‘screen scraping’) is prohibited unless the third party has directly concluded a written licence agreement with Ryanair in which permits it access to Ryanair’s price, flight and timetable information for the sole purpose of price comparison.”
In this case, PR Aviation BV had argued that it could benefit from the exceptions set out in article 6 of the Database Directive and that, pursuant to articles 6(1) and 8(1) of the Directive, the owner of the rights in the database could not prohibit in its terms and conditions such use falling within the scope of the exception. The CJEU rejected this argument due to its finding that the published fares were not protected by database rights and that therefore the exceptions were not applicable.
Data protection
The automated extraction of data from a database does not necessarily involve the processing of individuals' personal data. For example, an online company could make available to the public a list of coupons, vouchers or bargains presented on a website that is continuously fed with data scraped from retailers' webpages. However, where the data extracted constitutes personal data, meaning information relating to an identified or identifiable individual, data protection law must be complied with.
Under Article 48 of the French Data Protection Act (Act No. 78-17 of 6 January 1978 on Information Technology, Files and Freedoms) which cross-references Article 13 of GDPR, upon collecting personal data, the controller must provide data subjects with information related to its processing activities, including, amongst others, its identity, its contact details, the purposes and legal bases for the processing and the data subjects' rights. This rule is applicable even where the personal data is already available to the public. The data controller must have a lawful basis for scraping the data, such as consent from the data subjects or a legitimate interest, although, with regard to electronic direct marketing, legitimate interest does not apply and opt-in consent is required pursuant to e-privacy law. Consent must be freely given, specific, informed and unambiguous. These rules have been reiterated by the French data protection authority, CNIL, in its Guidance on the Re-use of Publicly Available Online Data for Marketing Purposes, issued on 30 April 2020. In addition, even where the collection of data complies with data protection and e-privacy laws, the other processing activities must obey a number of other obligations and data subjects should have their rights respected.
In this regard, on 8 December 2020, the CNIL imposed a €20,000 fine on Nestor SAS, a company specialised in the preparation and delivery of meals to office workers. CNIL's decision resulted from a number of complaints brought by individuals who had been receiving unsolicited marketing messages from Nestor in their professional mailbox. Some had requested in vain to access their data and had objected to the processing. Nestor had built an e-marketing database by scraping publicly available data from LinkedIn. CNIL found Nestor liable for a number of violations of data protection and e-privacy obligations and rights, such as the requirement to inform the data subjects, to obtain prior consent, to take appropriate security measures to protect the data, to comply with data subjects' access right.
Next steps
As scraping technology continues to develop, it is important for businesses focusing on data scraping to put in place a compliance system requiring them to check whether there are any restrictions to scraping, typically in the target website’s terms and conditions. Absent stated restrictions, consent from the rights holder will need to be secured from an intellectual perspective and, depending on the purpose of the scraping, from a data protection perspective. Where the data is lawfully collected, the scraping company will need to ensure that it is at all times used lawfully.
Companies susceptible to data scraping against their will should include, in their website’s terms of use, provisions prohibiting scraping. To ensure they are enforceable, the provisions should not be overbroad by, for example, proscribing extraction activities that fall within the scope of the exceptions to the database owners’ exclusive sui generis rights. Database creators should carefully decide against which party they seek to enforce their rights. As data scraping is not necessarily unlawful, it would be challenging to successfully bring a claim against a company that only produces and/or markets data scraping solutions but that does not itself scrape data, unless the scraping tool is specifically designed to engage in unlawful scraping.
Authored by Aissatou Sylla
