Eagle Alpha Legal Wrap - January 2024

Eagle Alpha rounds up some of the most relevant legal and compliance articles surrounding the alternative data space over the past month.

US

The FTC's lawsuit against data broker Kochava, filed in August 2022, has been unsealed after dismissal and refiled in June. The revised complaint highlights Kochava's sale of precise location data tied to specific individuals, including health conditions and information about religious practices. It emphasizes Kochava's lack of customer vetting and control measures, pointing to significant risks for consumers. This case underlines the pressing need for robust federal privacy laws governing data brokerage. You can access the full article here.

The SEC is considering a rule that could potentially restrict brokers and investment advisers from using predictive technologies unless they eliminate all conflicts of interest tied to these tools. This broad proposal might hinder the swift adoption of evolving technologies, possibly placing US firms and clients at a disadvantage globally. You can access the full article here.

Authors Nicholas Basbanes and Nicholas Gage have filed a class-action lawsuit against Microsoft and OpenAI, alleging the companies unlawfully used their copyrighted works to train a billion-dollar AI system. This comes after a similar complaint from The New York Times against the same entities. Basbanes and Gage aim to represent all writers whose works were used without permission. They're seeking damages of up to $150,000 for each infringed work. This lawsuit follows a similar legal action by fiction writers, including George R.R. Martin and Jonathan Franzen, filed earlier in Manhattan federal court. You can access the full article here.

The U.S. Department of the Treasury’s Financial Crimes Enforcement Network started accepting reports on beneficial ownership information as mandated by the Corporate Transparency Act. Companies operating in the U.S. are required to report details about their ultimate owners or controllers. Existing companies have until January 1, 2025, to file, while new companies registered in 2024 must do so within 90 days of their creation or registration. You can access the full article here.

Ambiguities in California’s Delete Act, especially regarding the definition of "data broker" and verification of deletion requests, pose challenges for implementation. The law's impact will affect data brokers, businesses interacting with them, and consumers seeking deletion of personal data, highlighting the need for clarity in forthcoming regulations from the CPPA. You can access the full article here.

The FTC proposed significant updates to the Children's Online Privacy Protection Rule (COPPA). These changes aim to bolster children's online privacy by restricting data monetization, limiting targeted advertising, enhancing data security, and banning excessive data collection for kids under 13. You can access the full article here.

The Center for Countering Digital Hate (CCDH) filed a motion to dismiss X Corp’s lawsuit, accusing the company of trying to silence criticism rather than addressing alleged contract breaches. CCDH emphasized that X's grievances stem from CCDH's public criticism of the platform rather than any violation of contract terms. You can access the full article here.

The FTC's recent settlement with Rite Aid over alleged facial biometrics misuse sheds light on critical considerations for companies utilizing advanced technologies. The FTC's emphasis on risk assessments, monitoring, and compliance programs serves as a wake-up call for businesses navigating the biometrics and AI regulatory landscape. You can access the full article here.

FCC updated data breach notification rules for telecom companies. This federal requirement, a first for carriers, carries substantial consequences for non-compliance and sets somewhat ambiguous reporting boundaries. Any unauthorized access or use of data linked to an individual constitutes a breach, and even minor accidental disclosures demand notification, unlike certain state rules. You can access the full article here.

EU

The Court of Justice of the European Union (CJEU) clarified key aspects of the GDPR in the case stemming from a cyber-attack on the Bulgarian National Revenue Agency affecting over six million individuals. One affected person sought compensation for non-material damage caused by a personal data breach. The CJEU emphasized that the mere occurrence of a breach doesn't imply inadequate measures by the Agency and highlighted the need for courts to assess the implemented measures based on the risks associated with data processing. You can access the full article here.

Euractiv recorded a podcast with Aline Blankertz, Policy and Public Sector Officer at Wikimedia, discussing EU's data policy and competition in 2023 and main challenges for 2024. They also covered the EU’s Data Act and the Digital Markets Act and the EU’s approach to personal health data and business trade secrets. You can listen to the full episode here.

The EU Data Act provides users with improved flexibility to switch between cloud providers, guards against illegal data transfers, and promotes interoperability standards. It focuses on creating standards for data sharing and processing while safeguarding trade secrets and intellectual property. Additionally, it aims to prevent unfair contractual terms in data-sharing agreements, specifically benefiting EU businesses, particularly small and medium-sized enterprises (SMEs). You can access the full article here.

UK

The Data Bridge serves as a mechanism allowing UK organizations to transfer personal data to US-based entities adhering to the US’s Data Privacy Framework (DPF). However, limitations exist: only US entities under specific jurisdictions can self-certify, certain sensitive data categories have stricter transfer rules, and UK organizations must update their documentation for compliance. You can access the full article here.

The UK is tightening its tax rules for individuals making money through online platforms like Vinted, Airbnb, and eBay. Starting January 1, these firms are required to share transaction details with tax authorities like HMRC. This shared information will assist authorities in ensuring tax compliance. You can access the full article here.

China

China's Cyberspace Administration and Hong Kong's Innovation, Technology, and Industry Bureau jointly released the GBA SCC Guidelines on December 13, 2023, establishing rules for cross-border data transfers within the Guangdong-Hong Kong-Macao Greater Bay Area (GBA). These guidelines introduce optional GBA SCCs for data transfer within the GBA, maintaining existing cross-border data regulations in Mainland China and Hong Kong. They offer less strict requirements for data transfer within the GBA compared to other regions in China. You can access the full article here.

Industry Commentary

Amy Stewart, SVP, General Counsel, and Global Chief Data Ethics Officer at LiveRamp, on data privacy by design for AI programs.

“Within 12 months, a significant wave of AI regulations may render current practices unstable and non-compliant. To avoid future headaches, the ‘first principles’ underlying privacy by design are fundamental to the development and implementation of generative AI tools and applications. Businesses should transparently inform consumers if they use AI to process their personal information and give them the choice to allow or opt out of this use of their data. Furthermore, businesses should conduct analyses to ensure they do not disadvantage the privacy interests of consumers. These practices will demonstrate respect for consumers and earn their trust for the business.” You can access the full commentary here.