Eagle Alpha rounds up some of the most relevant legal and compliance articles surrounding the alternative data space over the past month.
US
OpenAI was hit with a wide-ranging consumer class action lawsuit alleging that the company’s use of web scraping to train its artificial intelligence models misappropriates personal data on “an unprecedented scale.” The nearly 160-page complaint filed on June 28th in a San Francisco federal court said OpenAI’s popular generative AI programs ChatGPT and DALL-E are trained on “stolen private information” taken from what it described as hundreds of millions of internet users, including children, without proper permission. You can access the full article here.
Regarding the OpenAI developments, Peter Greene from Schulte Roth & Zabel commented: “It will be interesting to see how this action develops; it intersects with the traditional scraping analysis of what it means to be public on the internet for purposes of securities laws."
On May 4, 2023, an Idaho federal judge ruled that the Federal Trade Commission (FTC) needs stronger assertions of consumer harm in order for its data privacy suit against data broker/mobile analytics provider Kochava to proceed. The court simultaneously found no basis for Kochava’s suit to block the FTC’s enforcement action. The judge sided with Kochava’s argument that the agency had not adequately supported its claim that the company sales of geolocation data constituted unfair conduct under Section 5 of the FTC Act, finding no allegations that the practices “created a ‘significant risk’ of concrete harm.” The agency has 30 days to amend the complaint. You can access the full article here.
The Consumer Financial Protection Bureau (CFPB) issued a June 6 report summarizing its research into the use of artificial intelligence (AI) in consumer finance. The report focuses on the shift away from "human support" to "algorithmic support" in the banking and consumer finance industry and provides an analysis of the use of chatbots and its associated risks. The CFPB also confirmed that it will take an active role in monitoring compliance in the context of AI. You can access the full article here.
On June 16, 2023, Nevada’s Governor signed Senate Bill (SB) 370, which enacts certain protections for consumer health data. The law is similar to Washington’s My Health, My Data Act, which was passed in April. The Future of Privacy Forum prepared a useful chart comparing the Washington and Nevada laws. Nevada’s law becomes operative on March 31, 2024. You can access the full article here.
On June 14, FCC Chairwoman Jessica Rosenworcel announced the establishment of the Commission’s new Privacy and Data Protection Task Force. According to the announcement, the task force will coordinate efforts across the FCC on rulemaking, enforcement, and public awareness needs in the privacy and data protection sectors. These coordinated measures, Rosenworcel said, are intended to protect against and respond to data breaches involving telecommunications providers and those related to cyber intrusions. Measures will also address supply chain vulnerabilities involving third-party vendors that service regulated communications providers. You can access the full article here.
US State-Level Data Privacy Updates
- On June 18, Texas Governor Greg Abbott signed into law the Texas Data Privacy and Securities Act (TDPSA). Substantive portions of the TDPSA are set to take effect on July 1, 2024, making Texas the 10th state to implement comprehensive privacy legislation. You can access the full article here.
- The Connecticut legislature passed and the governor recently signed amendments to the Connecticut Data Privacy Act (CTDPA), the state's comprehensive consumer data privacy law, which goes into effect July 1, 2023. You can access the full article here.
- On June 22, 2023, the Oregon legislature passed the Oregon Consumer Privacy Act (OCPA) (SB 619). Subject to the procedural formalities, the bill will move to Oregon Governor Tina Kotek for consideration. Assuming the bill becomes law, Oregon will become the eleventh state – and sixth this year – to pass a consumer data privacy bill. You can access the full article here.
- On June 30, 2023, the Delaware legislature passed the Delaware Personal Data Privacy Act (HB 154). Subject to the procedural formalities in the legislature, the bill will move to Delaware Governor John Carney for consideration. The Delaware bill closely resembles last year’s Connecticut Data Privacy Act (CTDPA) with some notable differences. You can access the full article here.
China
On June 20th, 2023, the Cyberspace Administration of China (CAC) released the Announcement on the Record of Deep Synthesis Service Algorithms. This development reveals the official channel and practical guidance for filing records of deep synthesis algorithms, which follows on from the publication of the Administrative Measures for Generative Artificial Intelligence Services (“Draft Measures”) released on 11 April 2023 and specifies the procedures for algorithms filling as mentioned in the Draft Measures. You can access the full article here.
JPMorgan Chase's fund management arm in China is devoting "more and more" time and money to complying with data security laws as Beijing tightens regulations, its chief says. Eddy Wong, CEO of JPMorgan Asset Management's fully owned fund manager in China, said the "industry is very active" in trying to avoid crossing each "red line" created by mid-2021 Chinese laws governing personal information protection and data security. You can access the full article here.
Regarding China's data regulation developments, Peter Greene from Schulte Roth & Zabel commented: We all need to watch whether China’s strict data security laws will diminish the value of data sets from China.
On June 1, the Measures on the Standard Contract for the Cross-Border Transfer of Personal Information came into effect, requiring certain personal data processors, including companies handling data on fewer than 1 million people, to sign contracts with overseas recipients before sending data abroad. Under the laws, the central government has established its personal data export regulatory regime. Apart from the measures on the standard contract, the regime includes rules requiring companies to apply for a security assessment from the country's internet watchdog or to apply for personal information protection certification from a qualified agency. You can access the full article here.
According to a notice issued by the CAC on June 25th, a Beijing-based company has passed the first-ever China SCC filing. A few months ago, the first-ever positive security assessment in China was also granted to a hospital in Beijing. Beijing has undoubtedly become a pioneer in the implementation of cross-border data transfer mechanisms. This is an exciting development for data exporters in China, demonstrating that China has officially started the practical implementation of the China SCCs mechanism. You can access the full article here.
The Zhejiang Provincial IPR in Data Registration Platform was launched at the end of April. It is designed to protect the intellectual property rights of data-oriented enterprises and offer them various services, according to Gu Wenhai, deputy director of Zhejiang Intellectual Property Office. Gu added that an IPR registration certificate for data can be used as preliminary proof of data circulation transactions, allocation of earnings, and rights protection. You can access the full article here.
Only two companies were allowed to register as private fund managers in China in May, down from 139 the previous month, as tighter regulations governing the $2.9 trillion industry took effect on the first day of May. The two firms, Juhai Venture Capital Management and Zhejiang Jintou Dingxin Private Fund Management have been registered as managers of private equity and venture capital funds, according to the website of the Asset Management Association of China (AMAC). You can access the full article here.
UK
On June 8, 2023, the UK and the U.S. governments issued a joint statement announcing that they had committed in principle to the establishment of a “UK Extension to the Data Privacy Framework,” which would facilitate flows of personal data between the two countries (the “Data Bridge”). The establishment of the Data Bridge is contingent on an assessment by the UK government, the adoption of adequacy regulations under the Data Protection Act 2018, and the U.S. designating the UK as a “qualifying state” under Executive Order 14086. You can access the full article here.
Europe
A US-based fraud prevention company has been targeted for collecting data from millions of EU citizens and processing it using automated tools without their knowledge but it did so in the United States, all in violation of the EU's data protection rules. The complaint was filed by Austrian privacy advocacy group noyb, helmed by lawyer Max Schrems, and it doesn't pull any punches in its claims that TeleSign, through its former Belgian parent company BICS, secretly collected data on cellphone users around the world. You can access the full article here.
The EU Parliament and the Council have reached a political agreement on new rules that will require member states to use intelligent transport systems (ITS) along major roads, to enable vehicles and infrastructure to better communicate (see Council’s press release 8 June 2023). The EU lawmakers have agreed to revise the 2010 directive on the deployment of intelligent transport systems to align to technological developments and accelerate the availability and enhance the interoperability of digital data that feed services like connected and automated mobility, on-demand mobility applications, and multimodal transport. You can access the full article here.