Eagle Alpha Legal Wrap - September 2021
Eagle Alpha rounds up some of the most relevant legal and compliance articles surrounding the alternative data space over the past month.
US
A bill prohibiting insurers’ use of external consumer data as well as algorithms and predictive models that unfairly discriminate based on race, color, and national or ethnic origin among others was signed by the Governor of Colorado. Bill 21-169 states that even though these tools may simplify and expedite certain insurance practices, “the accuracy and reliability of external consumer data and information sources can vary greatly, and some algorithms and predictive models may lack a sufficient rationale for use in insurance practices.” You can access the article here.
The House Committee on Energy and Commerce voted to allocate $1 billion over the space of 10 years to the FTC to establish and operate a new privacy bureau in order to “hold companies accountable for failing consumers.” The funds will be used “to accomplish the work of the Commission related to unfair or deceptive acts or practices relating to privacy, data security, identity theft, data abuses, and related matters.” You can access the article here.
The FTC announced its intent to strongly enforce its 2009 Health Breach Notification Rule via a policy statement containing an expanded interpretation of entities subject to the Rule. It also clarifies that not only does the acquisition of health data by a bad actor constitute a reportable breach, but that the disclosure of it to a third party without an individual's authorization is also a reportable breach. You can access the article here.
DoorDash sued New York City over a new law requiring food delivery companies to share customer data with restaurants, saying it violates customer privacy and lets restaurants compete unfairly. It was filed in federal court in Manhattan six days after DoorDash, Grubhub Inc, and Uber Eats sued New York City over a separate law capping fees that delivery companies charge restaurants. You can access the article here.
UK
The U.K. government announced “Data: A New Direction”, which proposes significant changes to the U.K.’s data protection framework (UK GDPR). It aims to craft a bespoke “pro-growth and pro-innovation regime whilst maintaining…world-leading data protection standards.” You can access the article here.
The UK has released a national 10-year AI strategy intending to “signal to the world the UK’s intention to create the most innovation-friendly regulatory environment in the world; fostering prosperity across the UK and ensuring that everyone can benefit from AI, and apply AI to help solve global challenges like climate change.” You can access the article here.
On September 27th, 2021, organizations that use the EU’s Standard Contractual Clauses (SCCs) to govern their transfers of personal data from the European Economic Area (EEA) must use the new version of the EU’s SCC. Any SCC that was entered into prior to September 27th remains valid and can be used until December 27, 2022, to govern the covered transfers, so long as all safeguards are in place and data processing operations remain unchanged. You can access the article here.
China
On August 16, 2021, the trialing of China’s first regulation on automotive data security was announced titled “Provisions on the Security Management for Automotive Data”. This will go into effect on October 1st, 2021, and will establish a preliminary compliance framework for automotive data security in China by defining “automotive data and regulated entities, stipulating principles for data processing, specifying obligations of data processors, and setting forth rules for cross-border data transmission.” You can access the article here.
Europe
A report released by the Congressional Research Service on the EU-US Privacy Shield’s invalidation and the aftermath has provided options for an enhanced agreement to facilitate data flows. The Biden Administration has expressed its intention to ease EU concerns about US government access to personal data, as well as the availability of judicial redress through executive orders and administrative action. You can access the article here.