We met Dipro in a Brussels office that looked more like an evidence locker. Stacks of legal briefs climbed the walls. A whiteboard showed increasingly desperate calculations about notification costs. In the corner, a poster: "Disproportionate Effort: Your Safety Valve*" The asterisk led to microscopic fine print nobody could read.
Dipro is Article 14(5)(b) of the GDPR, though everyone just calls them Dipro. They looked exhausted. For someone who's supposed to be a legal exemption, they spend most of their time explaining why they can't actually exempt anyone.
"I know why you're here," they said before we could ask. "Everyone thinks I'm going to save them from notifying six million people. I won't."
You're the 'disproportionate effort' exemption in GDPR Article 14. When companies scrape data, they're supposed to notify everyone whose data they collected. But you say they don't have to if it would take disproportionate effort. That sounds like exactly what large-scale scrapers need.
Dipro: Everyone thinks that. I'm right there in the regulation: organizations don't have to provide information to data subjects if it "proves impossible or would involve disproportionate effort." Sounds perfect, right? Scrape a million records, notifying everyone would be expensive and time-consuming, invoke me, move on.
Except European Data Protection Authorities read me very differently than Silicon Valley lawyers do.
To them, I'm not a practical exemption for large-scale operations. I'm a narrow exception for genuinely impossible situations. The gap between those readings? That's where companies lose hundreds of thousands of euros.
What changed? When did this interpretation crystallize?
Dipro: The Polish DPA case in 2021.1 A data broker scraped 6.5 million records from public business registries. Names, addresses, contact details—all technically public information. They figured: "We can't possibly notify 6.5 million people. Disproportionate effort. We'll invoke Article 14(5)(b)."
The DPA fined them €220,000.
Here's what killed them: they already had the contact details. Email addresses, phone numbers—right there in the scraped data. The DPA said if you have someone's contact information as part of your dataset, using it to notify them isn't disproportionate. It's just using the data you already collected.
That changed everything. Suddenly I wasn't protecting large-scale scrapers. I was only relevant for rare cases where you literally cannot reach people even though you have their data.
So the exemption only works if you don't have contact information?
Dipro: Essentially. If the scraped data includes emails, phone numbers, postal addresses—anything that could be used for notification—regulators expect you to use it. The cost doesn't matter. The scale doesn't matter. You have the means, therefore it's not disproportionate.
Look at KASPR. They scraped LinkedIn contact details and got hit with €240,000 by France's CNIL in December 2024.2 They had the contact information by definition. That's what they were scraping. I was useless to them.
Or Clearview AI—€50 million in combined fines across Europe.3 They scraped billions of images and associated data. The Dutch DPA specifically called them out for failing to notify individuals. Clearview probably invoked me in their defense. Didn't help.
This creates an impossible situation for legitimate business intelligence operations.
Dipro: (laughs bitterly)
You're scraping product pricing data, competitor intelligence, market research. You filter carefully—no personal data in your final dataset. But during collection, you temporarily process personal information. Employee names on "About Us" pages. Contact forms. LinkedIn profiles of sales teams.
Under GDPR, that moment of processing triggers notification obligations. Even if you immediately discard that data. Even if it never enters your database. You technically processed it. And if any of those people are in the EU, you were supposed to notify them within one month.4
Nobody does this. The compliance cost would exceed the value of the intelligence gathered. But the legal risk is real.
What does "disproportionate" actually mean to regulators?
Dipro: There's no clear threshold. It's case-by-case assessment. But the pattern is obvious: if you have contact details, it's not disproportionate. If notification would merely be expensive or time-consuming, that's not disproportionate either.
The only scenarios where I've actually protected anyone: historical datasets where contact information was never collected. Research projects using anonymized public records. Archives where individuals are genuinely unreachable.
For active web scraping operations collecting current data? I'm almost never applicable.
How should companies actually think about you?
Dipro: Don't plan around me. Seriously. If your business model assumes you can invoke disproportionate effort to avoid notification, you're building on sand.
Instead, ask: "Are we collecting personal data at all?" If the answer is no—pure product data, pricing, public specifications—you're outside GDPR scope entirely. That's your real protection. Not me.
If you are collecting personal data, you need a legal basis under Article 6, proper security measures, retention limits, and yes, notification obligations.5 The cost of compliance should be factored into your operational model from day one.
I'm not a "get out of compliance free" card. I'm a narrow exception for edge cases. Treat me that way.
The research shows web scraping is now a "$20 million mistake" under GDPR. Is that because of how you've been interpreted?
Dipro: Partly. But it's broader. GDPR fines can reach €20 million or 4% of global revenue.6 Companies got fined not because they invoked me incorrectly, but because they fundamentally misunderstood what GDPR requires.
They thought "public data" meant "free to use." They thought large scale meant automatic exemption. They thought technical feasibility determined legal obligation.
European regulators think differently. To them, personal data is personal data regardless of where you found it. Processing requires legal justification. Scale doesn't create exemptions—it increases responsibility.
I'm just one small piece of that larger shift. But I'm the piece that surprised people most, because my name sounds so promising. "Disproportionate effort"—it sounds like exactly what you need when you're operating at scale.
Turns out, I'm not.
Footnotes
-
https://www.octoparse.com/blog/gdpr-compliance-in-web-scraping ↩
-
https://www.octoparse.com/blog/gdpr-compliance-in-web-scraping ↩
-
https://www.octoparse.com/blog/gdpr-compliance-in-web-scraping ↩
-
https://www.octoparse.com/blog/gdpr-compliance-in-web-scraping ↩
-
https://www.zyte.com/blog/web-scraping-gdpr-compliance-guide/ ↩
-
https://medium.com/deep-tech-insights/web-scraping-in-2025-the-20-million-gdpr-mistake-you-cant-afford-to-make-07a3ce240f4f ↩