Eagle Alpha Legal Wrap - October 2021

Eagle Alpha rounds up some of the most relevant legal and compliance articles surrounding the alternative data space over the past month.

U.S.

On October 21, 2021, the Consumer Financial Protection Bureau announced that it issued orders to collect information about the business plans and practices of big tech companies operating payment systems in the United States. Through these orders, the CFPB is seeking to collect information and gain an understanding of how big tech companies use and manage personal payments data – specifically the harvesting and monetization of payment data. You can access this article here.

On October 5, 2021, California approved legislation amending the Information Practices Act of 1977, which will specifically impact agencies and businesses that own or license computerized data that includes personal information. You can access the article here.

On October 11, 2021, California Governor Newsom signed several bills dealing with privacy and data security. These new laws come into force on January 1, 2022, and include AB 335, which adds an exemption to the California Consumer Privacy Act (CCPA) right to opt-out of sales of consumer personal information; AB 825, which expands existing data breach notification laws in California to include genetic data within the definition of “personal information.”; and AB 1391, which deals with the sale of illegally obtained data. You can access this article here.

The White House Office of Science and Technology Policy announced a plan to develop a "bill of rights" to protect against what the body perceives to be potentially harmful consequences of AI, including anticipated and unanticipated risks arising from AI applications developed using biometric data such as facial recognition, voice analysis, and heart rate trackers. You can access this article here.

The FTC recently issued guidance clarifying protections applicable to consumers’ sensitive personal data increasingly collected by health apps. The FTC press release indicated it has approved a policy statement offering guidance that organizations using “health applications and connected devices” to “collect or use” consumers’ personal health information must comply with the cybersecurity, privacy, and notification mandates of the Health Breach Notification Rule. You can access this article here.

China

On August 17, 2021, China released the new regulations on the Security and Protection of Critical Information Infrastructure (CII Regulations), which became effective on September 1, 2021. The new CII Regulations provide general guidance on formulating CII identification rules by competent regulatory authorities in relevant important sectors. You can access this article here.

Europe

On 19 October 2021, the European Data Protection Board (EDPB) announced that it had published its final guidelines on the restrictions under Article 23 GDPR following the end of its public consultation and adoption of the guidelines during its plenary meeting held on 13 October 2021. You can access the article here.

When opening its recent consultation on regulating international data transfers from the UK in the post-Brexit era the ICO said, “We understand that international transfers can be complex, especially for smaller businesses. Our new guidance has been designed to be accessible and to ensure they (sic) support all organizations, from SMEs without the benefit of large legal budgets to multi-national companies.” You can access this article here.

“The U.S. and EU must work together to swiftly finalize a new EU-U.S. Privacy Shield agreement that brings legal certainty to data transfer mechanisms,” the US Chamber of Commerce said in a statement. “This must be the top priority for both the U.S. and EU to avoid disruptions to data flows that could have massive consequences for businesses, customers, and workers on both sides of the Atlantic.” You can access this article here.

UK

Since 2018, the decision-making arm of the UK Information Commissioner’s Office has included a Regulatory Panel that advises on cases relating to breaches of the Data Protection Act 2018, GDPR, and the Network Information System Regulations. A potential presence of a Big Tech advocate on the Regulatory Panel could be a welcome development for businesses, as it may result in a more commercial approach to enforcement, and therefore smaller fines and less intrusive additional penalties being imposed for breaches of data protection legislation. You can access the article here.

Other

A new Personal Data Protection Law in Saudi Arabia was passed on 16th September 2021 and is due to come into force on 23rd March 2022. It will require most businesses to make significant changes to the way they collect, store and process personal data. Businesses will also need to establish compliant procedures and policies and stop certain practices. You can access this article here.