Eagle Alpha Legal Wrap - September 2023

Eagle Alpha rounds up some of the most relevant legal and compliance articles surrounding the alternative data space over the past month.

a year ago   •   4 min read

By Dallán Ryan

Eagle Alpha rounds up some of the most relevant legal and compliance articles surrounding the alternative data space over the past month.

Global

Data protection and privacy authorities from twelve countries issued a joint statement urging the protection of people’s personal data. The statement draws attention to the rising concern over illegal data scraping from social media, which involves the automated extraction of large volumes of online information. This practice poses privacy risks and potential harm, including the misuse of individuals' data for purposes they did not consent to, cyberattacks, and identity fraud. You can access the full statement here.

US

The FTC launched an extensive investigation into OpenAI focusing on potential breaches of consumer protection laws concerning the company's ChatGPT bot. The FTC sent a 20-page demand for records to OpenAI, seeking information about how the company manages risks associated with its AI models, detailed descriptions of all complaints, and records of a security incident disclosed in March. You can access the full article here.

Additional details came to light in the ongoing legal battle between X Corp. (formerly known as Twitter) Vs. Bright Data. The lawsuit includes counts related to breach of contract, tortious interference with contract, and unjust enrichment, with X, arguing that Bright Data violated its terms of service by scraping user data and providing scraping tools to third parties. You can access the full article here.

Oregon became the third US state, after Vermont and California, to require data broker registration for entities collecting, selling, or licensing "brokered personal data." The law, which takes effect on January 1, 2024, imposes registration requirements, including declarations on consumer opt-out options and authorized agents. Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) are exempt. You can access the full article here.

Leading industry groups including the Managed Funds Association (MFA), the Alternative Investment Management Association (AIMA), and the U.S. Chamber of Commerce submitted a letter to the SEC requesting a 60-day extension of the comment period for the proposed rules on the use of predictive data analytics by investment managers. The signatories argue that more time is needed to assess the potential adverse effects on technology-driven benefits for clients and access to investment opportunities. You can access the full article here.  

The use of generative AI technology is highlighted in a new report by the EY Center for Board Matters. Audit committees are advised to implement controls and processes that evolve as quickly as emerging technologies. Patrick Niemann, EY Americas audit committee forum leader, highlighted the issues of ethical usage, accuracy, and intellectual property protection. You can access the full article here.

The FTC has taken on an increasingly significant role in safeguarding health data that falls outside the scope of HIPAA (Health Insurance Portability and Accountability Act). The FTC has been enforcing the Health Breach Notification Rule (HBNR) for entities not covered by HIPAA. And the recently proposed rule extends the HBNR to health apps and online services, treating developers as healthcare providers under this rule. You can access the full article here.

EU

The Federal Act on Data Protection (FADP) in Switzerland, originally enacted in 1992, has been revised to better protect individuals' personal data. The revised FADP came into effect on September 1st, 2023 with several significant changes, including enhanced user consent, easier subject access requests, increased sanctions, breach notification requirements, and Privacy by Design & Default considerations. You can access the full article here.

Zoom is facing privacy concerns in Europe due to changes in its terms and conditions. A clause added in March 2023 raised alarm as it appeared to allow Zoom to use customer data for training AI models without an opt-out option. While the controversy centers around whether this applies only to "service-generated data," which includes telemetry and product usage data, the uproar has raised questions about consent and privacy under GDPR and the ePrivacy Directive in Europe. You can access the full article here.

OpenAI is facing a complaint filed with the Polish Data Protection Authorities, alleging violations of the GDPR. The complaint, brought by privacy researcher Lukasz Olejnik, asserts that OpenAI breached GDPR provisions related to lawful basis, transparency, fairness, data access rights, and privacy by design. You can access the full article here.

Fitbit, a subsidiary of Google, is facing three privacy complaints in the EU alleging illegal export of user data in violation of data protection regulations. The complaints focus on Fitbit's assertion that users have consented to international data transfers, arguing that the consent does not meet the required legal standard under the GDPR. You can access the full article here.

UK

The UK government has unveiled its plans for the AI Safety Summit, scheduled for November 1st and 2nd. The event aims to bring together various countries, technology organizations, academia, and civil society to address the challenges and risks associated with advanced AI systems. The summit will explore collaboration on AI safety research, standards development, and governance. You can access the full article here.

China

China's internet regulator, the Cyberspace Administration of China (CAC), is engaging with foreign firms, including Walmart and PayPal, to address concerns regarding the country's new data security regulations. The CAC has met with executives from numerous international companies to discuss ways to navigate the new data regime, offering guidance on compliance and acknowledging the challenges of obtaining approvals for the overseas transfer of sensitive information. You can access the full article here.

India

The new Digital Personal Data Protection Act has faced criticism over concerns that it could infringe upon the Right to Privacy and enable surveillance activities. Digital rights groups, including the Internet Freedom Foundation and the Software Freedom Law Centre, have raised objections to provisions in the law that allow data processing without consent and amend the Right to Information (RTI) Act. You can access the full article here.

Spread the word

Keep reading