Eagle Alpha Legal Wrap - April 2021
Eagle Alpha rounds up some of the most relevant legal and compliance articles surrounding the alternative data space over the past month.
United States:
The SEC’s Division of Examinations published its examination priorities for the year focusing on whether firms are operating consistently with their reps and complying with rules and requirements around customer orders and mobile apps. They will also focus on data providers and private and registered funds and how they use “alternative data,” including whether they have appropriate controls around the creation and use of that data. You can view the article here.
On April 15th, in a blog Facebook noted, "we devote substantial resources to combating unauthorized scraping on Facebook products [and] have a dedicated External Data Misuse team made up of more than 100 people, including data scientists, analysts and engineers, focused on our efforts to detect, block and deter scraping." This comes as a response to web-scraping activities taking place on the site where half a billion users’ data was breached. You can view the blog post here.
Web-scraping breaches affecting Facebook and LinkedIn accounts, as well as hacks on Stanford University and SITA, an aviation-focused IT company, has data collection and data security in the media spotlight. The same article also discusses a call by FBI Director Christopher Wray for the banning of data encryption. This proposal has been met with opposition. You can view the article here.
Google Chrome and Chrome-based browsers will stop supporting third-party cookies from 2022, affecting the entire advertising industry and data collection companies that relied on third-party cookies. On March 3, 2021, Google published a blog stating, “Users are demanding greater privacy—including transparency, choice, and control over how their data is used — and it’s clear the web ecosystem needs to evolve to meet these increasing demands.” You can view the article here.
UK:
The FCA and Bank of England recently hosted the second meeting of the Artificial Intelligence Public Private Forum and identified a number of challenges around the use of 'alternative data' and its unstructured, synthetic, aggregated and third-party qualities. They noted that the root causes of any issues can depend on the maturity of an organisation's use of AI and alternative data and that the due diligence processes for assessing the data sources should ensure that they use third-party data providers that are legitimate and have clear data provenance. You can view the article here.
On the 14th of April, the European Data Protection Board compared the UK Data Protection Act to the GDPR and to the Law Enforcement Directive, and noted ‘strong alignment’ on key areas between the EU and UK data protection regimes. These include lawful and fair processing for legitimate purposes, purpose limitation, data quality and proportionality, data retention, transparency and special categories of data, as well as others. The outcome of this meeting means that it is likely that the UK approved as an adequate jurisdiction for transfers of personal data from the EU. You can view the article here.
At the end of the month, the UK Supreme Court will hear an appeal from Google in the Lloyd v Google LLC case where an estimated 4.4 million iPhone users allege unlawful gathering of information on Apple’s Safari browser. This decision is being followed closely and may pave the way for new “opt-out” representative actions for data breach claims on the basis that all the claimants have lost control of their data. You can view the article here.
Other:
Australia’s Competition and Consumer Commission has ruled that Google misled consumers by operating a confusing dual-layer of location settings in what the regulator describes as a “world-first enforcement action”. The Court also ruled that Google misled consumers when they later turned off the ‘Location History’ setting on their Android device leaving the “web and app activity”, Google would continue to collect, store and use their personally identifiable location data. You can view the article here.