Eagle Alpha Legal Wrap - August 2022

Eagle Alpha rounds up some of the most relevant legal and compliance articles surrounding  the  alternative  data space  over the past month.

US

The Consumer Financial Protection Bureau (CFPB) accused Apple of potential consumer data misuse with the company’s ‘buy now, pay later’ service being investigated. Rohit Chopra, Director of CFPB, questioned Big Tech’s entry into the lending business and how they use customer data such as browsing history, geolocation data, and health data. You can access the full article here.

“On the heels of the App Annie settlement, use of Apple’s geolocation data continues to be of interest to regulators and important to private funds who consume such data; disclosure to, and consent from, app users are paramount" - Peter Greene, Partner, Investment Management, Schulte, Roth & Zabel

An amended version of the American Data Privacy and Protection Act (ADPPA) was voted by the House Committee on Energy & Commerce for full House consideration. Data minimization and consumer rights are the areas that the federal government will focus on, with ADPPA regulating a wide range of entities that collect and use “covered data,” including non-profits. You can access the full article here.

The California Privacy Protection Agency (CPPA) is opposed to the draft of ADPPA mentioned above. Its primary concern is that ADPPA will result in Californians having less protection compared to the ones provided by California Consumer Privacy Act. It is also argued that states should be allowed to continue policy innovation rather than wait for federal changes. You can access the full article here.

Google’s promise to remove abortion clinics from users’ location history was scrutinized. Researchers from Tech Transparency Project conducted experiments showing that it was still possible to view this sensitive information. You can access the full article here.

UK

The UK Data Protection and Digital Information Bill were introduced to Parliament. The most significant reform under this banner is the change to Article 22 of the UK GDPR on automated decision-making. The general prohibition has now been removed; instead, conditions must be met for decisions involving particular category data. The ban is then replaced with a series of safeguards that must be in place. You can access the full article here.

The UK-US Data Access Agreement will allow each country’s law enforcement agencies to access data from technology and telecom companies as part of criminal investigations. You can access the full article here.

Europe

The Court of Justice of the EU (CJEU) issued a ruling with broad consequences in a Lithuanian case concerning national anti-corruption legislation. CJEU said data that can indirectly reveal a person’s sexual orientation constitutes particular category data under the GDPR. Data protection authorities in the EU didn’t agree on this issue in the past, but the CJEU ruling now provides clear guidance. You can access the full article here.

Meta may be forced to pull its Facebook and Instagram services from the European Union if a new transatlantic data transfer pact isn’t agreed upon. The Irish Data Protection Commission informed its European counterparts that it plans to ban Meta’s data flows to the United States. You can access the full article here.

The Ethical Commerce Alliance was launched to build consumer trust in how e-commerce retailers collect and use customer data. The Alliance offers guidance for retailers to avoid privacy violations while safeguarding personal data beyond GDPR compliance. You can access the full article here.

China

The Cyberspace Administration of China released the results of the Didi cybersecurity review, which resulted in a 1.2 billion USD fine. Didi was found to illegally collect user information (including 12 million screenshots from users’ photo albums) and improperly handle sensitive information. You can access the full article here.

A report by Australian-US cybersecurity firm Internet 2.0 found that TikTok collects “excessive” amounts of information from its users. It is even noted that the Chinese government could use the app to collect device locations and personal information from in-app messages. You can access the full article here.

Other

India’s government decided to withdraw a data protection and privacy bill proposed in 2019 due to the country’s parliamentary panel review. Many amendments are being suggested with a need for a new “comprehensive legal framework.” You can access the full article here.