A flyer with personal details overlaid with a GDPR icon (like a lock or shield), suggesting that while data might be public, it’s still protected.

Just because it’s online doesn’t mean it’s fair game: GDPR and public data

← Back to Blog
GDPR

Let’s bust a common myth: Just because information is online doesn’t mean you can do whatever you want with it. The internet is like a treasure trove of data, but here’s the catch—if that data includes personal information, GDPR still applies. Yup, even if it’s publicly available.

In this post, we’ll break down what public data is, why you can’t just freely use it, and how GDPR ensures that personal data is protected no matter where you find it.

What is public data, anyway?

Public data is any information that’s freely accessible online—think social media profiles, public forums, or even a company’s contact page. But just because it’s out there in the wild doesn’t mean you can treat it like a free buffet.

If this public data includes any personal identifiable information (PII), such as names, addresses, email addresses, or even photos of individuals, GDPR steps in to protect that data. The law doesn’t care whether it’s hidden behind a paywall or sitting out in the open; it’s still considered personal data, and it’s still protected.

So, what counts as PII?

Under GDPR, PII is basically any data that could be used to identify an individual, either directly or indirectly. This could include:

  • Names
  • Email addresses
  • Social media usernames
  • Photos of people
  • Phone numbers
  • IP addresses
  • Even things like job titles when tied to a specific person

If you can link any of this data back to a living person, congratulations—you’ve found PII. And with that, comes responsibility.

Legal basis: It’s not just about access, it’s about permission

Here’s where a lot of people get it wrong: GDPR isn’t concerned with where you found the data. It’s all about why and how you’re using it.

If you’re going to process public data that includes PII, you need a legal basis to do so. Under GDPR, there are six legal bases for processing personal data:

  1. Consent – The individual has given clear consent to process their data.
  2. Contractual necessity – You need the data to fulfill a contract.
  3. Legal obligation – Processing the data is necessary to comply with the law.
  4. Vital interests – The processing is needed to protect someone’s life.
  5. Public task – The processing is needed to carry out an official function.
  6. Legitimate interests – The processing is necessary for your legitimate interests, but only if those interests aren’t overridden by the individual’s rights.

If you don’t have one of these legal bases, you can’t just scoop up publicly available data and start using it. Simple as that.

Example: Scraping data from social media

Let’s say you run a marketing agency, and you’re thinking about scraping LinkedIn profiles for potential clients. Sounds harmless, right? After all, these people put their profiles out there themselves. But hold up—if you’re grabbing names, job titles, and contact info, you’re dealing with PII, and under GDPR, you need a legal basis before you can process that data.

Without consent or another legal justification, scraping this kind of data could land you in serious trouble with GDPR regulators.

The risks of assuming public data is “fair game”

Ignoring GDPR because you think public data is free-for-all is a dangerous game. Just because you can access it easily doesn’t mean you’re allowed to process it however you want. Misusing personal data can lead to hefty fines, reputational damage, and a whole lot of headaches.

Remember, GDPR fines can go up to €20 million or 4% of your global turnover—whichever is higher. So, it’s well worth your time to get your data processing practices in check.

Real-world example: The scraping debacle

One of the most high-profile cases around public data misuse came when Facebook data was scraped by third parties. Just because the data was visible on social media didn’t mean it could be harvested and used for any purpose. Facebook had to deal with both reputational fallout and regulatory attention because of these practices.

Even if your business isn’t as big as Facebook, GDPR applies to you, too.

Final thoughts: Always check your legal basis

Before you process any public data that contains personal information, make sure you’ve got a legal basis under GDPR. Just because data is freely available doesn’t mean you have the green light to use it however you please.

Public data might be easily accessible, but GDPR’s rules on privacy and consent still apply. Don’t assume—it could cost you more than you think.