At Mistho, we are excited to work on the frontier of both technological and legal innovation. Recently, we have seen more and more misinformation created in the market, essentially trying to discredit one of the best technologies available to implement basic consumer data rights with the goal of creating or sometimes maintaining data oligopolies for income and employment information existing in the market today. As a result, we are now sharing our perspective more openly to enable all market participants to gain a clear picture of the legal landscape around user-permissioned scanning (sometimes called screen scraping).  In an era where data is akin to digital gold, scanning —the process of extracting data from a website's interface— with the explicit consent from the user is the easiest way for them to make use of their right to data portability. In the United Kingdom, this practice is governed by a complex web of laws and regulations, including the Computer Misuse Act, the Data Protection Act, Copyright Law, and the General Data Protection Regulation (GDPR), as well as considerations under contract law. This article embarks on an explorative journey to dissect these legal frameworks, aiming to illuminate the legality of user-permissioned scanning under specific conditions: obtaining the necessary consents, ensuring user rights to access their own data, and the non-storage of credentials. Of course, this is not legal advice, but is based on our years-long experience working with some of the best law firms in the field.

The Computer Misuse Act (CMA)

The CMA was enacted to prevent unauthorized access to computer systems. Under this act, scanning could potentially be deemed illegal if it involves accessing a website’s backend data without permission. However, when users consent to the scanning of their data, and the data is publicly accessible or the user owns the data, this activity shifts away from the unauthorized territory. The act’s essence is to protect against harm; thus, consensual and non-intrusive scanning, especially where the data is already accessible to the user, does not contravene the CMA, provided it doesn’t overburden the website’s servers, causing them harm. Ultimately, if the right consent is collected, no criminal liability will arise.

The Data Protection Act & GDPR

Both the Data Protection Act and GDPR regulate the processing of personal data. User-permissioned scanning that involves personal data necessitates adherence to principles such as obtaining explicit consent, ensuring data accuracy, and securing the data against unauthorized or unlawful processing. Under these frameworks, the legality of scanning is contingent upon respecting the data subject's rights and implementing appropriate safeguards. If all processing is done with consent and in a manner that the user has rights to access and extract their own data, these legal requirements can be satisfactorily met.

Copyright Law

Copyright law protects the expression of ideas, not the ideas themselves. In the context of scanning, this distinction becomes crucial. While the raw data might not be protected, the specific way a website organizes and displays that data could be. However, if the scanning is limited to data the user is authorized to access and doesn't replicate the structure or expressive elements of the site, it generally doesn't infringe on copyright laws. In the case of income and employment data, users always have the right and authorization to access, view and extract their own data and hence copyright law does not impact the use-case of scanning for income and employment information.

Contract Law

Websites often have terms of service that restrict or outright prohibit scanning. While these contractual agreements can limit scanning activities, user-permissioned scanning that aligns with the user’s rights to access and use the data on a personal level often falls outside such contractual restrictions, as from a GDPR perspective, prohibiting the user to extract their own data is actually non-compliant. In essence, if the activity doesn’t breach any specific clause to which the user has agreed or it relates to personal data solely related to the individual in question, then contract law doesn’t provide a barrier to legal scanning.

Conclusion

The interplay between user-permissioned scanning and UK law is nuanced. While each legal framework imposes certain restrictions, a careful approach that adheres to the principles of obtaining proper consents, respecting the user's data rights, and avoiding the storage or misuse of credentials can navigate the legal landscape successfully. It's clear that the legality of scanning hinges on a respectful and compliant approach to data access and use. Provided these conditions are met, scanning is a legally sound practice within the UK, harnessing the potential of publicly available or personally owned data without infringing on legal statutes. This balanced approach not only respects legal boundaries but also fosters innovation and the ethical use of data in the digital age, which for us at Mistho is our highest priority. Get in contact with us to learn more about how our product delivers all legal safeguards to deliver user-permissioned data sharing for income and employment in a 100% compliant manner.

Any commentary produced by Mistho is for general information only and is not legal or other advice upon which reliance can or should be placed.  Opinions expressed may change and there is no guarantee that the commentary is or will remain accurate, complete and up to date.  To the extent permitted, Mistho disclaims all liability arising from any reliance placed on the commentary, including for actions taken or not taken based on it.