Eagle Alpha Legal Wrap - June 2023

Eagle Alpha rounds up some of the most relevant legal and compliance articles surrounding the alternative data space over the past month.

US

The Depository Trust & Clearing Corporation (DTCC), the clearinghouse that processes U.S. stock trades, announced the indefinite suspension of its data feed called Investor Kinetics following concerns that the data distributed through Investor Kinetics and another DTCC offering, Equity Kinetics, could be exploited to the detriment of their customers. You can access the full article here.

Regarding the DTCC news, Ben Kozinn from Schulte Roth & Zabel commented: “There is an indication of large-scale trading happening based on the DTCC information. The question is: what are you then doing with the contract? You have to negotiate your contracts carefully. If you are not careful, they auto-renew, there is no material adverse change clause that says, ‘If the data changed materially, we get to cancel it’. This is something buyers all need to be thinking about when they are negotiating these contracts.”

Consumer health data is a hotly debated topic following the FTC’s recent cases including Premom, GoodRX, and Flo. Washington and Connecticut also passed laws around adopting protections for consumer health information. The International Association of Privacy Professionals (IAPP) proposed to adopt various tiers categorizing health data depending on risk-based sensitivity and whether it is combined with other data sources. You can access the full article here.

Life360, a family-tracking app, was accused of selling users’ location data without permission. The lawsuit was brought on behalf of a Florida minor and his family, who claim they would not have used the app if they had known about the data sales. The lawsuit cites an investigation that revealed Life360 was selling precise location data to multiple location data brokers. You can access the full article here.

The FTC filed complaints against Amazon and Ring, accusing them of using highly private data collected from consumers without giving sufficient regard to privacy protections. The complaints, the first since the FTC's new Biometric Policy Statement, highlight the importance of companies upholding privacy standards when using AI, biometric data, and sensitive information. You can access the full article here.

Microsoft was fined by the FTC for allegedly collecting biometric and personal data from children under the age of 13 through its Xbox game consoles. The FTC's recently released biometrics policy further emphasizes the need for clear notice and informed consent when collecting and using sensitive biometric information. You can access the full article here.

China

The government has strengthened anti-espionage laws and assigned China's spymaster to crack down on security threats posed by American firms. Vague data-related laws introduced during the pandemic further complicate matters for foreign businesses. Even innocuous actions like sharing an email signature, considered personal information under certain interpretations of Chinese data laws, can lead to trouble. These developments raise concerns about the feasibility of conducting business in China for international firms. You can access the full article here.

Yintao Yu, a former head of engineering at ByteDance's US operation, claimed in a legal filing that a Communist Party committee had access to TikTok data, including network information, SIM card identifications, and IP addresses, in order to identify individuals and their locations. The filing also alleged that the party monitored users' communications, had a "backdoor channel" to access US user data, and possessed a "superuser" credential to view all data collected by ByteDance. You can access the full article here.

UK

The UK and the US have made a commitment to establish a "data bridge" between the two countries, facilitating the free flow of personal data. The data bridge aims to streamline processes, reduce costs, and increase opportunities for businesses by eliminating burdensome red tape associated with transferring personal data. You can access the full article here.

Regarding the “data bridge” commitment, data protection law expert Rosie Nance of Pinsent Masons said: “This announcement provides more certainty on what the framework for data flows between the US and the UK will look like. We now have confirmation that there will be a UK extension to the Data Privacy Framework between the US and EU, similar to the Swiss-US Privacy Shield under the previous framework.”

Europe

Meta was fined $1.3 billion by Ireland's Data Protection Commission (DPC) for violating GDPR. The fine is the largest ever imposed for a GDPR breach and comes with an order to suspend the transfer of user data from the European Union (EU) to the United States. Meta has been given five months to implement the data transfer suspension and six months to stop unlawful processing and storage of personal EU data already transferred to the US. You can access the full article here.

Spotify was fined $5.4 million by the Swedish Authority for Privacy Protection (IMY) for failing to adequately inform users about how their data was being used. The IMY found that Spotify did provide users with their requested data when asked, but the company lacked clarity in explaining how the data was being processed. You can access the full article here.

The Garante della Privacy, Italy's privacy watchdog, has reached out to ByteDance to investigate potential security risks for Italian and European users. ByteDance has disputed the claims and has been asked by the Garante to provide its observations on the alleged transfer of user data to Chinese authorities. You can access the full article here.