Eagle Alpha Legal Wrap - August 2021

Eagle Alpha rounds up some of the most relevant legal and compliance articles surrounding the alternative data space over the past month.

US

In order to address the challenges associated with the rise of ESG data and ratings, the Board of the International Organization of Securities Commissions (IOSCO) has proposed recommendations aiming to mitigate risks flowing from the activities of ESG ratings and data products providers. These recommendations also address some of the challenges faced by users of ESG data and ratings, as well as the companies that are the subject of these ratings or data products. You can access this article here.

A recent study by KPMG found that 29% of ‘250 director-level or higher’ executives at companies with over 1,000 employees admitted how their own companies collect personal information that is “sometimes unethical.” Additionally, 33% of respondents said that consumers should be concerned about how their company uses personal data. You can access the article here.

Connecticut’s “Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” will now have one of the broadest definitions of personal information in any data breach law in the US. In this act, a personal data “trigger” is defined as first name or first initial and last name, in combination with any one or more data points including a range of IDs, medical information, biometric information and more. Several other states have also very recently reviewed their cybersecurity laws. You can access the article here.

Due to a failure to implement adequate data security measures to protect and secure consumers’ credit card information, Dickey’s Restaurant was fined $2.35 million by the U.S. District Court for the Northern District of Texas. The data breach was also found to violate CCPA and the California Unfair Competition Law. You can view this article here.

UK

Following an announcement that the UK aims to reform its data laws and pursue data sharing agreements with non-EU countries including the US and Australia, the EU has warned that if a re-write goes ahead, any data-sharing agreements the UK have with the EU will cease in order to protect EU citizens’ privacy. One of the reforms proposed is removing cookie pop-ups that tell internet users when they are being tracked online. You can access the article here.

China

On the 20th of August, China finalized the Personal Information Protection Law (PIPL), which is set to come into effect on the 1st of November 2021. This robust data privacy framework aims to both protect individuals’ personal data against abuse, while also addressing the modern cultural and business attitudes in China. Like all laws that have been passed so far in China, it includes many high-level principles but is expected to receive additional guidelines in the coming months. You can access the article here.

Following the implementation of China’s Data Security Law and Personal Information Protection Law, many companies are anxious to know if data will be able to be exported from China, and whether there is any need to localize data in China to future-proof relevant business activities. Due to this uneasiness, many multinational companies have put ‘China data/server localization’ and ‘China data/cyber-related compliance issues’ on their boards’ agendas. You can access the article here.

Europe

The global sports analytics industry is expected to grow from $1.9 billion in 2019 to $5.2 billion by 2024 and so a distinction must be made between the use of personal data such as athletes' biometric data and data which is considered already in the public domain. Under the GDPR, athletes have the right to access their data, request rectifications and have the right to erasure and if athletes began to exercise this right, it would impact rapidly growing sports and performance datasets. You can access the article here.

To allow SEC registrants to remain compliant with Swiss data protection laws while providing personal data in response to SEC examinations, the Swiss Data Protection and Information Commissioner have released a framework outlining permissions for transfer of personal data across two main headers: ‘contract performance’ and ‘public interest’. You can access the article here.