GDPR has been enforced for 6 years. The fines are real, documented, and developers are increasingly in the crosshairs.
Here are 7 real GDPR enforcement actions involving data scraping.
Case 1: Clearview AI — 20M EUR Fine (France, 2022)
What happened: Clearview scraped billions of photos from social media without consent. Built a facial recognition database.
Fine: CNIL (France) fined 20M EUR. Similar fines in Italy, UK, Greece.
What they violated:
- No legal basis for processing biometric data
- No data subject rights
- Processing special category data without explicit consent
Developer takeaway: Photos = biometric data = special category under GDPR. Never scrape profile photos at scale without explicit consent.
Case 2: Booking.com — 475K EUR Fine (Netherlands, 2020)
What happened: Scraped guest data including nationality and transferred it to US without adequate safeguards.
Developer takeaway: Nationality = special category data. Collecting it requires explicit consent + specific justification.
Case 3: Eniro — 700K EUR Fine (Sweden, 2020)
What happened: Swedish directory scraped personal data from public sources and violated data minimization principles.
Developer takeaway: Scraping public data then selling it or combining it to create profiles triggers much stricter requirements.
Case 4: Meta — 1.2B EUR Fine (Ireland, 2023)
What happened: Transferred EU user data to US without adequate protection.
Developer takeaway: Where you store scraped EU personal data matters. US storage without SCCs or Adequacy Decision = violation.
Case 5: Grindr — 6.5M EUR Fine (Norway, 2021)
What happened: Shared user location data with third-party advertisers without valid consent.
Developer takeaway: Location data = sensitive under GDPR. Collect it and you need explicit consent.
Case 6: Italian Data Broker — Investigated 2024
What happened: Italian DPA investigated a company scraping LinkedIn to sell B2B lead lists.
Outcome: Company had to suspend operations during investigation.
Developer takeaway: Selling scraped personal data as a business model is under intense scrutiny.
Case 7: HiQ Labs vs LinkedIn
What happened: HiQ scraped LinkedIn public profiles for HR analytics.
Outcome: US courts ruled scraping public data is not a CFAA violation. But GDPR is separate.
Developer takeaway: Publicly accessible != GDPR legal basis. You still need Article 6 justification in the EU.
Risk Assessment: What You Can and Cannot Scrape
Low Risk
- Company names, logos, pricing
- Job listings from career pages
- Product data from e-commerce
- Published news content
Medium Risk (needs documented legal basis)
- Professional names and titles
- Business email addresses
High Risk (need explicit consent or avoid)
- Personal photos
- Home addresses
- Health information
- Biometric data
- Children's data
The 3-Step Compliance Check
What are you collecting? Personal data needs legal basis. Special category data needs explicit consent.
What is your legal basis? Document it before you build. For B2B: legitimate interest works for professional data. For B2C consumer data: much harder.
Can you handle rights requests? Can you find and delete all records for a person within 30 days?
The Bottom Line
GDPR enforcement for scraping is accelerating. The Clearview fine set a precedent. The safest approach: only scrape B2B professional public data, document your legal basis, implement data retention limits, and build erasure capability from day one.
Building GDPR-compliant scrapers? The Apify Scrapers Bundle includes scrapers built with data minimization and GDPR-compatible data handling.
Get the bundle for 29 EUR -> https://vhubster3.gumroad.com/l/fjmtqn
Top comments (0)