Eagle Alpha Legal Wrap - December 2023

Eagle Alpha rounds up some of the most relevant legal and compliance articles surrounding the alternative data space over the past month.

US

Sam Altman’s dismissal and return to OpenAI has been the main highlight of the past few weeks. The exact reasons for his initial removal are still unclear but the incident might sow doubt about the promises and risks of AI, as it involves a prominent AI advocate being accused of dishonesty. Second, it could prompt boards to demand more comprehensive internal reporting structures for AI, emphasizing reliable compliance, and concentration risks. You can access the full article here.

Air Canada has filed a lawsuit against Localhost LLC, operator of Seats.aero, alleging the unauthorized scraping of vast amounts of flight data. The complaint asserts that Localhost violated Air Canada's website terms, causing site slowdowns and other disruptions. The case raises questions about browsewrap agreements' enforceability and the interpretation of "unauthorized access" under the CFAA, potentially impacting web scraping disputes and the training of AI models. You can access the full article here. Ryanair v. Booking.com is also heating up as the online travel agency is now accusing the airline of ‘stealing customers’ and a potential claim of ‘unjust enrichment’. You can access the full article here.

U.S. District Judge B. Lynn Winmill unsealed the FTC's detailed complaint against Kochava revealing the company’s extensive data collection, including sensitive movement data down to a meter, used to enable targeted advertising based on personal metrics. Despite Kochava's assertion of anonymization, the FTC's complaint highlights the direct linking of geolocation data to identifiable information. You can access the full article here.

Lawsuits are surging under Illinois' Biometric Information Privacy Act (BIPA), granting consumers and employees the right to legal action against companies mishandling facial scans, fingerprints, and other imaging data. Notably, Facebook, Google, TikTok, and Snapchat settled multimillion-dollar lawsuits alleging BIPA violations. The law demands written consent for biometric data collection, setting policies for its usage, retention, and disposal. You can access the full article here.

The SEC’s Chairman Gary Gensler cautioned against "AI washing," comparing it to greenwashing and warning companies against making false claims regarding artificial intelligence. He emphasized the necessity for truthful disclosures under securities laws, highlighting the growing concern over exaggerated or fabricated AI assertions in marketing. You can access the full article here.

EU

The EU Council approved the Data Act, a groundbreaking regulation aimed at establishing fair access to and use of data within the EU. The Act distinguishes between product and service data, ensuring users' rights while protecting trade secrets and intellectual property. Additionally, it introduces measures to prevent unfair data sharing contracts and provides guidelines for reasonable compensation. You can access the full article here.

France, Germany, and Italy have aligned on a joint proposal outlining AI regulations that combine voluntary commitments, binding for both small and large AI providers in the EU. This agreement aims to speed up negotiations at the European level, crucial for the EU's AI Act. You can access the full article here.

UK

Clearview AI, a controversial U.S.-based facial recognition company, won an appeal against the fine issued by the U.K.'s Information Commissioner's Office (ICO) last year. Clearview's appeal prevailed on jurisdictional grounds, as the tribunal ruled that the company's activities fell outside U.K. data protection law due to an exemption related to foreign law enforcement. You can access the full article here.

Several organizations are challenging NHS England's creation of the Federated Data Platform (FDP), alleging a lack of legal basis for its establishment and planning a judicial review. The £330m contract awarded to Palantir, a US company, to manage the FDP has raised concerns about patient data privacy. You can access the full article here.

China

In 2023, China introduced extensive regulations on data protection and cybersecurity, focusing on cross-border data transfer and personal information security. Looking ahead to 2024, uncertainty surrounds key definitions, like "important data," impacting cross-border data transfer requirements. China also explores ways to align its regulations with international standards, such as the Digital Economy Partnership Agreement (DEPA), signaling potential shifts in its data protection landscape. You can access the full article here.

Brazil

The Brazilian National Data Protection Agency (ANPD) released a draft order outlining the appointment and responsibilities of Data Protection Officers (DPOs). The order assigns new responsibilities to DPOs, like maintaining records of processing activities, conducting impact assessments, identifying risks, establishing security measures, setting governance rules, and overseeing international data transfers. You can access the full article here.

Industry Commentary

Mike Myer, CEO of Quiq, on ChatGPT Enterprise:

“Kudos to OpenAI for releasing an enterprise product that allows enterprises to use ChatGPT, which represents an important step forward. However, this doesn’t make ChatGPT ready for the enterprise. It is laudable that OpenAI expanded and formalized its policy not to use any data entered via its APIs for training purposes for the enterprise level. However, the original problems that invoked the need for guardrails in the first place still need to be addressed. Most importantly, ChatGPT Enterprise is still connected to open web search, thus, the issue of returning answers that are hallucinations or simply wrong will continue.” You can access the full commentary here.