Eagle Alpha Legal Wrap - September 2022

Eagle Alpha rounds up some of the most relevant legal and compliance articles surrounding  the  alternative  data space  over the past month.

US

The FTC sued Kochava, a data vendor that analyzes mobile marketing effectiveness, for buying and selling geolocation data from “hundreds of millions of mobile devices.” It is alleged that the collected data could be used to track movements to and from such sensitive locations as abortion clinics and religious institutions. Kochava argues that it only uses third-party data gathered with the users’ consent. The lawsuit follows the business alert issued by the FTC earlier this year on the illegal sharing of location, health, and other sensitive data. You can access the full article here.

"While this case has charged political ramifications, the key here for private funds consuming data is diligencing whether there is informed consent to share" - Peter Greene, Partner, Investment Management, Schulte, Roth & Zabel

A new Florida resolution forbids fund managers for the state's $228 billion pension funds from including ESG factors in the investment decision-making process. Governor DeSantis, who has been particularly outspoken in his opposition to ESG, described ESG policies as "an attempt to impose, through the economy, an ideological agenda that could not win at the polls," and declared that "ESG is dead on arrival in Florida." You can access the full article here.

"The ongoing political debate over ESG is critical for fund managers who are endeavoring to explain to investors the extent to which ESG factors into their investment processes" - Peter Greene, Partner, Investment Management, Schulte, Roth & Zabel

Sephora, one of the largest cosmetics retailers in the world, settled a data privacy lawsuit and agreed to pay $1.2 million for failing to notify its customers that their personal information was being sold and for not allowing customers to opt out. It is California’s first enforcement action under the California Consumer Privacy Act. You can access the full article here.

“Again, the key here for private funds consuming data is diligencing whether there is informed consent to share” - Peter Greene, Partner, Investment Management, Schulte, Roth & Zabel

Meta is being sued for providing US hospitals with a data-tracking technology that allegedly resulted in Facebook getting access to patient data. The suit was filed in the Northern District of California accusing US hospitals to be in violation of HIPAA, Health Insurance Portability and Accountability Act. You can access the full article here.

Google employees are petitioning the company demanding abortion protection and data privacy. The petition was signed by over 650 employees who asked Google to implement data privacy controls for all health-related information, so that it “must never be saved, handed over to law enforcement, or treated as a crime.” You can access the full article here.

On September 8th, 2022, the FTC will hold a public forum on commercial surveillance that harm data security and privacy practices. Other concerns that were highlighted include bias and errors resulting from automated data analysis. The agency wants to determine if new regulations are required to safeguard people's privacy and information. You can access the full article here.

Europe

Twitter’s former head of security Pieter Zatko accused the company of cybersecurity mismanagement and of misleading European regulators over compliance with local laws and regulations. The national data protection authorities of France and Ireland are investigating these allegations. You can access the full article here.

The Norwegian Data Protection Authority argues that Meta should be fined for violating the EU court ruling and continuing to transfer Europeans’ personal data to the US. It highlighted: “Based on the facts of the case, we do not see how [Meta] could have continued its personal data transfers following the Schrems II judgment had it acted in accordance with the GDPR”. You can access the full article here.

UK

Privacy campaigners claim that edtech companies Google Classroom and ClassDojo are breaking the UK data laws by exposing children’s data. 5Rights, a digital rights charity, conducted an experiment showing how third parties track children’s data when users click on external links within Google Classroom. You can access the full article here.

Lord Kirkhope, a former minister and leader of the Conservatives in the EU parliament, argued that the UK should not diverge from the EU on data protection regulations: “simply because we can diverge does not mean that we should diverge; the benefits are negligible at best. The likely result would be the United Kingdom no longer being recognised as a “trusted partner” in the field of data security and the end of a free flow of data.” You can access the full article here.

China

Chinese big tech companies shared their algorithms with the Cyberspace Administration of China. The regulator stated that it was done in order to put an end to data abuse. Beijing is said to be concerned about the big tech influencing public opinions with the authorities urging platforms to use algorithms to “actively spread positive energy” instead of celebrity culture or excessive spending. You can access the full article here.

India

India’s Minister for Telecom and IT said that a revised draft of the country’s data protection bill will soon be available for public comments with the government bringing it to the Parliament’s Budget Session in early 2023. He also noted that the country’s law enforcement will have final authority over content removal from social media platforms. You can access the full article here.

Brazil

Brazil’s National Data Protection Authority (ANPD) published an update on the current regulatory agenda. ANDP closed the comment period on laws regulating international data transfers and now moved to “phase two” regulations. The authority is expected to be more active with respect to enforcements in 2023 with next year to be pivotal for the country’s new General Personal Data Protection Law. You can access the full article here.

Industrial Commentary

Denas Grybauskas, Head of Legal at Oxylabs, on Meta’s hospital data scraping allegations: “News about this lawsuit is particularly interesting in the light of Facebook’s own stance on web scraping, as the internal memo leaked last year highlighted the company’s plans to shift the blame for so-called data leaks to scrapers. According to the filing, Facebook is involved in data scraping itself: it concerns medical data that is obviously personal data, but even more so, the way this data was stored would likely make it non-public as well.” You can access the full commentary here.