Data Scraping And Criminal Liability
1. Introduction
Data scraping refers to the automated collection of data from websites, databases, or online platforms. While scraping itself is a technological process, it can lead to civil or criminal liability depending on:
Whether the data is personal or sensitive
Whether it violates terms of service
Whether it involves unauthorized access
Whether it is used for fraud, identity theft, or competitive advantage
2. Legal Framework
A. Unauthorized Access / Hacking Laws
Many countries classify certain types of scraping as unauthorized access under computer crime statutes:
United States:
Computer Fraud and Abuse Act (CFAA) criminalizes accessing a computer “without authorization” or exceeding authorized access.
European Union:
Directive 2013/40/EU and national computer crime laws penalize illegal access or interception of data.
B. Data Protection / Privacy Laws
Scraping personal data can violate privacy laws like:
GDPR (EU): Collecting personal data without legal basis can lead to fines and criminal sanctions.
National data protection laws may impose penalties or imprisonment.
C. Fraud and Misuse of Data
Using scraped data to commit fraud, identity theft, or unfair competition can trigger criminal liability under fraud, theft, or intellectual property laws.
3. Case-Law Analysis (Six Detailed Cases)
Case 1: hiQ Labs v. LinkedIn (USA, 2019)
Facts:
hiQ Labs scraped public LinkedIn profiles to analyze employee data for clients.
LinkedIn sent a cease-and-desist letter claiming hiQ violated the CFAA.
Legal Issue:
Does scraping publicly available data constitute unauthorized access under CFAA?
Judgment:
The Ninth Circuit Court held that accessing publicly available data does NOT violate CFAA.
However, accessing data behind a login or restricted page could constitute unauthorized access.
Significance:
Public data scraping is generally not criminal, but ignoring access restrictions may trigger criminal liability.
Sets precedent for U.S. cases involving scraping social media platforms.
Case 2: United States v. Nosal (2012)
Facts:
David Nosal recruited former employees to scrape confidential business data from his former employer.
Employees accessed proprietary information via company credentials.
Legal Issue:
Whether using legitimate credentials to access data for unauthorized purposes violates CFAA.
Judgment:
The Ninth Circuit concluded that exceeding authorized access for improper purposes is punishable under CFAA.
Nosal and co-conspirators were convicted.
Significance:
Highlights that scraping internal/protected data using legitimate accounts for unauthorized purposes is criminal.
Distinguishes between public and private scraping.
Case 3: Facebook v. Power Ventures (2016)
Facts:
Power Ventures scraped Facebook’s website to allow users to log in and access their friends’ data.
Facebook sued under CFAA and state law.
Legal Issue:
Does scraping after receiving a cease-and-desist notice constitute criminal liability?
Judgment:
Court held that ignoring a cease-and-desist and scraping private data is unauthorized access.
Power Ventures was liable for damages and prohibited from accessing Facebook servers.
Significance:
Cease-and-desist notices transform scraping from permissible to unauthorized access.
Criminal liability could arise if similar actions involve hacking or fraud.
Case 4: Craigslist v. 3Taps (USA, 2013)
Facts:
3Taps scraped Craigslist’s website to resell classified ads.
Craigslist alleged violations of CFAA and trespass to chattels.
Legal Issue:
Whether scraping public listings for commercial gain without authorization constitutes CFAA violation.
Judgment:
Court found that scraping after Craigslist blocked 3Taps’ IP addresses constituted unauthorized access.
Injunction issued; 3Taps had to stop scraping.
Significance:
Scraping after explicit blocking or access restriction can trigger civil and criminal liability.
Commercial use of scraped data increases scrutiny.
Case 5: Ryanair v. PR Aviation / Kiwi.com (Europe, 2017)
Facts:
Ryanair claimed Kiwi.com scraped its flight data, bypassing API restrictions to display ticket information.
Legal Issue:
Whether automated scraping of protected website data violates EU computer misuse and unfair competition laws.
Judgment:
European courts ruled in favor of Ryanair in some jurisdictions: scraping in violation of access restrictions constitutes unlawful interference with computer systems.
Significance:
In Europe, scraping may trigger criminal or civil liability if it:
Violates website terms
Involves bypassing technological measures
Causes economic harm
Case 6: German Federal Court – LinkedIn/Germany (2018)
Facts:
A company scraped LinkedIn Germany users’ public data for recruitment purposes.
LinkedIn issued a warning to stop scraping.
Legal Issue:
Whether scraping after warning violates German Computer Fraud Law.
Judgment:
Court held that scraping after a warning is unauthorized access, potentially criminal under German law.
Violates LinkedIn’s protected access and terms of service.
Significance:
Confirms that warnings / cease-and-desist letters matter in determining liability.
Even public data may become protected once access restrictions are imposed.
4. Key Principles Across Cases
Public vs. Private Data
Public data scraping is generally permissible unless restricted.
Scraping data behind logins, firewalls, or paywalls can lead to criminal liability.
Cease-and-Desist / Access Blocking
Ignoring warnings or IP bans can transform scraping into unauthorized access under CFAA or equivalent laws.
Purpose Matters
Commercial or malicious use (e.g., spam, fraud, reselling) increases liability risk.
Corporate Responsibility
Companies and officers who authorize scraping of protected systems can face criminal liability.
Cross-Border Differences
U.S.: CFAA-focused; intent and access restrictions matter.
EU / Germany: Terms of service violations + bypassing technical measures may trigger liability.
These six cases provide a comprehensive understanding of how scraping interacts with criminal liability, covering:
Public social media data
Private internal corporate data
Cease-and-desist situations
Commercial and competitive use
RELATED Blog
comments