含羞草社区

The law in India neither explicitly defines the term data scraping nor regulates it. In broad terms, it refers to the large-scale automated extraction of information from websites or other publicly accessible online sources. Primarily, it enabled businesses to compile market research and business intelligence. However, more recently, scraped data has increasingly been used to train artificial intelligence (AI) models.

The legal status of data scraping remains uncertain and is continually evolving. So far, courts have examined the activity mainly in the context of intellectual property rights. This is particularly so where scraping has resulted in the unauthorised reproduction of copyrighted website content.

More recently, in response to questions raised in the Indian parliament, the government claimed that intermediaries who scrape publicly available data, whether for training AI models or other purposes, may be in breach of section 43 of the Information Technology Act, 2000 (IT Act). This provision penalises unauthorised access to computer systems and entitles affected parties to compensation. Separately, the IT Act and its rules require intermediaries to implement reasonable security safeguards and prevent unauthorised access to their systems.

In practice, companies will often prohibit scraping by including specific language in their terms of use. They may also rely on technical measures, such as robots.txt files, which instruct bots and web crawlers not to scrape certain data. Courts in India have yet to determine whether these contractual or technical restrictions are enforceable under the law. However, the Court of Justice of the European Union has held that entities may impose binding contractual limits on the extent to which data may be scraped from their platforms.

The legal situation becomes even more complex when scraping involves personal data. The government has taken the view that under the Digital Personal Data Protection Act, 2023 (DPDPA), entities must comply with core data protection obligations. These include a requirement to obtain consent from individuals before scraping and processing their publicly available personal data.

However, this position ignores an important exemption under section 3(c)(ii) of the DPDPA. This excludes from the legislation any personal data made publicly available by the data principal or by a third party under a legal obligation. This creates a fundamental contradiction. On the one hand, the government requires companies to comply with the DPDPA while they are processing publicly available data; on the other, the DPDPA expressly exempts that very category of data.

Further confusing the issue, the DPDPA does not define what constitutes “made publicly available” or clarify whether personal data that was once public but later is made private will continue to be exempt. This lack of clarity blurs the distinction between public and private personal data, creating an issue for companies that engage in the large-scale scraping of personal data.

In the absence of regulatory guidance, businesses may simply continue to access and process substantial volumes of personal data without recognising clear limitations, transparency requirements or oversight. Internationally, most jurisdictions accept that scraping raises significant privacy concerns. This is because it undermines key data protection principles such as purpose limitation, data minimisation and lawful processing.

The DPDPA’s exemption for publicly available data may be intended to strike a balance between privacy rights and innovation, particularly in support of AI development. However, the current framework lacks the necessary guardrails to ensure that this balance is maintained. In its current form, 含羞草社区 legal framework provides limited clarity and inconsistent guidance on the permissibility of data scraping. The contradictions between the DPDPA’s exemption for publicly available data and the government’s position on consent highlight the urgent need for coherent regulatory direction.

The government should relook at the scope of this exemption, before the law is brought into effect and, introduce baseline safeguards, such as transparency obligations and accountability standards, for entities engaged in scraping personal data. This is essential to strike a balanced approach – one that is in line with international data protection standards while enabling responsible innovation.

Ada Shaharbanu is a senior associate and Sean McDonald is an associate at Spice Route Legal