Is Web Scraping Legal in the United Kingdom?
In the United Kingdom, web scraping is considered a legal activity as long as it is done for legitimate purposes and does not violate any laws. The main laws that may be relevant to web scraping in the UK include the Computer Misuse Act, the Data Protection Act, and the Copyright, Designs and Patents Act.
Related Laws
The Computer Misuse Act 1990
This law makes it a crime to access a computer without authorization, or to exceed authorized access. This means that if a website has explicitly prohibited the use of web scraping in its terms of use, scraping the site would be considered a violation of this law. However, this applies only when Terms of Service (TOS) is agreed explicitly by the user (e.g. clicking a button or logging in).
The Data Protection Act 2018
This law regulates the collection, use, and storage of personal data. Web scraping that involves the collection of personal data would have to comply with this law, which includes obtaining consent from individuals whose data is being collected and ensuring that the data is being used for a lawful purpose.
The Copyright, Designs and Patents Act 1988
This law protects the intellectual property rights of website owners. So, if a website owner has not given permission to scrape their website, this act might be violated.
The General Data Protection Regulation (GDPR or UK-GDPR)
This EU law applies to all the EU member countries, including the UK which adopted it as UK-GDPR after brexit. It regulates data processing activities, including web scraping, and enforces strict data protection rules.
The GDPR requires that companies must have a legal basis for collecting and using personal data. This includes obtaining explicit consent from the individuals concerned, or having a legitimate reason for collecting the data. If a company is scraping personal data from a website, it must have a legal basis for doing so, and it must inform the individuals concerned about the data being collected, used, and shared.
In practice, this law prevents scraping of personal user data as acquiring consent is very impractical. It's worth noting that even if certain pieces of information, such as names, are removed, the data may still be considered personal data if it can be used to identify an individual through other means, such as through a combination of other data points. For example, if a dataset contains information such as email addresses, age, location, and occupation, it could still be considered personal data under GDPR, even if the names have been removed.
GDPR is a relatively new law and there are still many unanswered questions about how it applies to web scraping. However, it is generally considered to be a very strict law and it's best to avoid scraping personal data until more information is available.
Database Protection (same as EU)
The Database Directive is a European Union (EU) law that was implemented in the United Kingdom in 1997. The directive's official title is the "Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases." It provides legal protection for the creators of databases, including the sui generis right of the maker of a database, which is a new form of intellectual property rights specific for databases.
The Database Directive is intended to protect the investment of time and money that goes into creating a database by giving the maker of the database certain exclusive rights. These rights include the right to prevent extraction and re-utilization of the whole or a substantial part of the contents of a database. This means that if a database is protected by the Database Directive, it is illegal to extract and use a substantial part of its contents without the permission of the maker of the database.
The Database Directive applies to databases that are original in the sense that they are the result of the maker's own intellectual effort. This means that if a database is created by simply compiling information that is already publicly available, it would not be protected by the Database Directive.
Popular Cases
Ryanair Ltd v Billigfluege.de GMBH (2010)
In this case, Billigfluege.de (a German travel agency) was scraping flight pricing and scheduling information from Ryanair's public website without Ryanair's consent. This data was publicly available on Ryanair's website, meaning that it did not require a login to access. The scraped data was then used on Billigfluege's own site. 1
The key note here is that Ryanair managed to convince the judge that ToS was legally binding even though it was a browse-wrap agreement with a visible term of service link in the footer of the website. Even so, the legality of browse-wrap agreements is still decided on a case-by-case basis in the UK.