Eagle Alpha Legal Wrap - January 2023
Eagle Alpha rounds up some of the most relevant legal and compliance articles surrounding the alternative data space over the past month.
US
Meta agreed to pay 725 million USD to settle a class-action lawsuit regarding third parties, including Cambridge Analytica, accessing users' personal information. The long-running case stemmed from accusations that Meta allowed the British political consulting firm Cambridge Analytica to deploy an app on its social media platform to gather data from as many as 87 million users. You can access the full article here.
"The controls around privacy and the due diligence performed by the buy-side certainly have changed dramatically (for the good) since this story first broke in 2018" - Peter Greene, Partner, Investment Management, Schulte, Roth & Zabel
The Consumer Financial Protection Bureau (CFPB) outlined proposals needed to implement section 1033 of the Dodd-Frank Act and strengthen consumers’ access and control over their financial data. The rule would require firms to make a consumer’s financial information available to them or to a third party at that consumer's direction. “Covered data providers” include financial institutions and card issuers. You can access the full article here.
The Financial Data Transparency Act was passed into law with the SEC required to create data collection standards for the information reported by issuers and obligors of municipal securities. The aim is to make financial regulatory reporting fully searchable and machine-readable with information also available in an open data format. You can access the full article here.
The Virginia Consumer Data Protection Act (CDPA) became effective on January 1st, 2023. Virginia residents receive rights of access, correction, deletion, portability, the right to opt out of certain processing, and the right to appeal a controller’s decision regarding a rights request. You can access the full article here.
The Federal Reserve Board released draft principles for managing climate-related financial risks (“Climate Principles”) targeted at institutions with over $100 billion in total assets. The proposed principles would cover data and risk measurement among other areas. The Climate Principles are similar to the ones proposed by the Office of the Comptroller of the Currency in December 2021 and the Federal Deposit Insurance Corporation in March 2022. You can access the full article here.
Google agreed to pay 29.5 million USD to settle lawsuits with Washington, D.C. and Indiana over its use of location tracking. On the other hand, US District Judge Yvonne Gonzalez Rogers dismissed a privacy lawsuit by consumers who accused Google of tracking users’ personal information after they opted out of sharing their activity and even if they didn’t have an account. Rogers wrote: “Google adequately disclosed, and plaintiffs consented to, the collection of the at-issue data.” You can access the full articles here and here.
Europe
The European Commission announced a draft decision on U.S. adequacy, bringing both parties one step closer to a replacement data privacy framework to be adopted in 2023. Ever since the Schrems II court decision invalidated the Privacy Shield—the previous EU-U.S. data transfer framework—data transfers between the two countries have been on uncertain legal grounds. You can access the full article here.
Meta’s ad practices were ruled to be illegal under the EU’s data protection law as regulators found that users were forced to effectively accept personalized ads. The ruling also includes a fine of 390 million euros. Placing the legal consent within the lengthy terms of service agreements were deemed to force users into accepting personalized ads. You can access the full article here.
The European Commission proposed regulating data collection and sharing for short-term accommodation rental services. The proposal outlines data sharing and website design specifications for online platforms and it also encourages EU nations to develop a harmonized registration process for hosts. You can access the full article here.
The European Union’s first broad standards for regulating artificial intelligence are one step closer as the Council of the EU adopted amendments to the draft act. The definition of “AI” is slightly narrowed to distinguish simpler software systems and prohibited AI practices are further clarified. You can access the full article here.
UK
Apple’s new privacy feature allowing end-to-end encryption puts the company at odds with the UK government over online safety bill. “We support strong encryption but it cannot come at the expense of protecting the public. End-to-end encryption cannot be allowed to hamper efforts to catch perpetrators of the most serious crimes,” a government spokesperson said. You can access the full article here.
China
The World Health Organization urged China to share real-time information on the COVID-19 surge and stressed the importance of data transparency. Regular data sharing is deemed necessary in order to formulate accurate risk assessments. You can access the full article here.
The Ministry of Industry and Information Technology released the final version of the Measures for Data Security Management. These new guidelines divide data into three categories and demand that businesses use various levels of security precautions while gathering, processing, transmitting, and discarding data. You can access the full announcement here.
The National Information Security Standardization Technical Committee released new certification standards for companies that are involved in cross-border personal information processing. The standards specify personal information protection principles for companies and overseas recipients of data. You can access the full article here.