The data scraping and data collection that Application Programming Interfaces (APIs) enable are ubiquitous means of automatically and instantaneously gathering large amounts of online data. Anyone can leverage the capabilities of internet infrastructure to engage in data collection, yet the subjects of the data collection are often unaware of the full extent to which this personal data harvesting occurs. The accessibility and discreetness of large-scale automated online data collection test the overall fitness of the European data protection framework, the General Data Protection Regulation (GDPR), to provide control to individuals over their personal data while promoting innovation and ensuring legal certainty for all parties concerned.

This Article explores the extent to which the jurisprudence of the Court of Justice of the European Union (CJEU) and the guidance of data protection authorities have accommodated this technological transformation. Data controllers have been the apparent focal point of institutional responses. Absent further clarification, however, an approach focused on data controllers is likely both insufficient and unsustainable. This Article outlines areas for further clarification and additional focus—namely, the concept of “public accessibility” of online data, the notion of “reasonable expectations,” the capacity of the “fairness” principle, and an increased emphasis on technological infrastructure and rights-respecting AI development.