Eagle Alpha Legal Wrap - November 2022

Eagle Alpha rounds up some of the most relevant legal and compliance articles surrounding the alternative  data space  over the past month.

US

The U.S. District Court for the Northern District of California ruled that hiQ Labs breached LinkedIn’s user agreement by scraping public profiles and by hiring independent contractors to log in and confirm identities manually. LinkedIn is also entitled to move forward with the CFAA violation claim. Sarah Wight, VP of Litigation at LinkedIn, said: “The Court’s ruling helps us better protect everyone in our professional community from unauthorized use of profile data, and it establishes important precedent to stop this kind of abuse in the future.” You can access the full article here.

"The recent LinkedIn/hiQ Labs decision does not change the view that web scraping should not create risk under U.S. federal securities laws—that is, insider trading risk—if you are scraping only public websites sites (or public portions thereof). While violation of a terms of use creates breach of contract risk, it should not create insider trading risk if you are not bypassing (through log-in/password or other means) an authentication gateway." - Peter Greene, Partner, Investment Management, Schulte, Roth & Zabel

The SEC proposed a new rule that would prohibit investment advisers from using outsourced services without meeting minimum requirements. The proposal would require advisers to conduct due diligence on service providers and carry out periodic reviews. The rule would also require advisers to keep books and records related to these new oversight obligations. You can access the full proposal here.

The SEC recommended enforcement action against SolarWinds over the company’s statements on cybersecurity disclosures and the related governing procedures. SolarWinds tentatively agreed to pay 26 million USD in a lawsuit settlement. This follows the FTC’s actions taken against EdTech firm Chegg and online marketplace Drizly for security failures and subsequent personal data exposure. You can access the full article here.

Coinbase backed Ripple in its case against the SEC arguing that existing registration requirements for national securities exchanges are not suitable for how digital asset platforms operate. Coinbase joined the Blockchain Association and the crypto payments app SpendTheBits in its support of Ripple. You can access the full article here.

Europe

The new EU-US Data Privacy Framework was introduced setting clear data-sharing rules and giving companies legal clarity when performing data transfers. This framework was two years in the making after the EU’s Court of Justice invalidated the EU-US Privacy Shield. You can access the full article here.

The European Parliament’s lawmakers suggested expanding the European Commission’s revision powers in the AI Act, a proposed legislation designed to regulate the development, deployment, and use of artificial intelligence. This amendment would give the Commission the ability to modify the list of high-risk areas, such as education or employment after the legislation becomes effective. You can access the full article here.

UK

The UK’s new Data Protection and Digital Information Bill could face delays as further consultations are being planned by the Department for Culture, Media, and Sport (DCMS). Owen Rowland, deputy director for domestic data protection policy at the DCMS, said that the adequacy agreement with the EU will be “at the heart” of the bill. You can access the full article here.

The UK Digital Secretary Michelle Donelan discussed the data adequacy agreement with the US Secretary of Commerce Gina Raimondo. The new digital transfer deal between the countries is expected “in the coming weeks.” You can access the full article here.

China

TikTok updated its privacy policies for European users adding disclosures that the personal data of users can be viewed by the company’s employees in China. The announcement comes as US policymakers are increasingly vocal about limiting TikTok’s access to personal data. You can access the full article here.

Brazil

Brazil’s Data Protection Agency introduced a new resolution that limits the country’s Data Protection Law obligations on small entities. The resolution defines “small-sized processing agents” as small companies and startups and suggests simplified procedures with firms not required to appoint a Data Protection Officer. You can access the full article here.

Indonesia

Indonesia introduced its first Personal Data Protection Law after years of postponement and based it on the GDPR. Local businesses and international companies will now be liable for how they handle the data of Indonesian consumers. You can access the full article here.