Legal Wrap - December 2021
Eagle Alpha rounds up some of the most relevant legal and compliance articles surrounding the alternative data space over the past month.
US
On November 29, the Consumer Financial Protection Bureau (CFPB) settled a lawsuit by the National Association of Consumer Advocates (NACA) challenging the formation and operation of the Taskforce on Federal Consumer Financial Law (the Taskforce). This taskforce’s goal was to recommend ways to improve and strengthen consumer financial laws and regulations including exercising caution in restricting the use of non-financial alternative data. You can access the article here.
In New York, data privacy and security concerns have arisen following the implementation of new technologies to manage residential buildings. As more and more data is being collected from residents and data sharing with third parties is taking place, policies and protections for residents is paramount. You can access the article here.
China
On November 25, the Shanghai Data Regulations was formally adopted by the Shanghai Municipal People's Congress and will come into effect on January 1, 2022. It includes details surrounding data subjects rights, and the standardisation of data processing activities. As well as updates from the second draft including authorising government departments to collect data necessary for emergency response; having a municipal data expert committee to carry out security assessments of public data use, etc. You can access the article here.
Peter Green of Lowenstein Sandler’s perspective on data regulations in China:
“We are closely watching how China will address the collection and use of alternative data, especially consumer transaction and geolocation data; regulation in this area is critical given the proliferation of alternative data sets about (and/or from) China.”
Europe
The Court of Justice of the European Union’s (CJEU) advocate general has made an essential clarification to Europe’s data protection law to confirm that consumer associations can bring actions on behalf of individuals. If followed by the CJEU, this will make it easier for people to defend their rights against tech giants in future. You can access the statement here.
For vehicle data, the German Brandenburg regional government state that vehicle manufacturers must adhere to GDPR when collecting, processing and storing data, with “privacy by design” and “privacy by default” important cornerstones for manufacturers to take into account when developing their products. Additionally, consumers must be able to decide individually whether and to whom they grant access to the datasets they have produced and be able to request deletion of driving data at any time. You can access the article here.
The Digital Markets Act (DMA) proposal blacklists certain practices used by large platforms acting as “gatekeepers” and enables the EU Commission to carry out market investigations and sanction non-compliant behaviours. The proposed regulation will apply to the major companies providing so-called “core platform services” most prone to unfair business practices, including online intermediation services, social networks, search engines, operating systems, online advertising services, cloud computing, and video-sharing services. You can access the article here.
France’s data protection authority, the CNIL, has issued around 30 new formal notices to comply with its new guidelines on cookies on December 14, 2021. Previously, about 60 organizations were served with formal notices for not allowing website visitors to refuse cookies as easily as to accept them. You can access the article here.
Norway’s Data Protection Agency issued a $7 million GDPR fine to online dating app Grindr. The app was found in breach of processing and sharing user data—including highly sensitive information relating to data subjects’ sexual orientation—with advertisers without consent. You can access the article here.
UK
In December, the UK Culture Secretary and US Commerce Secretary met and released a statement addressing the “negative trends that risk closing off international data flows”. “We seek to shape a global data ecosystem in a manner that promotes and advances interoperability between different data protection frameworks, facilitating cross-border data flows while maintaining high standards of data protection and trust.” You can access this article here.
Other
On December 21, 2021, the Brazilian Data Protection Authority, updated instructions on how and when data subjects can file a complaint against a data controller for possible violation of their rights under the General Data Protection Law (LGPD). You can access the article here.
In December, a parliamentary committee in India recommended widening the scope of proposed data protection legislation to include both personal and non-personal data and sought greater accountability for social media platforms by treating them as publishers. The panel has also favoured a framework to regulate hardware manufacturers, who also collect data along with the software and includes provisions for cross-border transfer of data. You can access the article here.