November Legal Wrap

Eagle Alpha rounds up some of the most relevant legal and compliance articles surrounding the alternative data space over the past month.

U.S.

On the 18th November 2021, the SEC announced its enforcement actions for 2021 totalling 434 cases, an increase of 7% from 2020. Among the most prominent cases listed are several “first-of-their-kind” cases including the App Annie securities fraud action. You can access the announcement here.

Peter Green of Lowenstein Sandler’s perspective on the SEC’s enforcement actions:

“The App Annie action was a watershed moment for the alternative data community. One (of many) takeaway from the action is that many hedge funds are indeed conducting extensive due diligence and “asking the right questions” of data providers with respect to data provenance. The action reinforces the importance of such diligence.”

As of November 22nd 2021, five members of Congress have called for federal consumer-privacy legislation following a Reuters report revealing how Amazon led a secretive campaign to remove privacy protections in 25 states. During this time, Amazon also collected a huge amount of personal data on American consumers. You can access the article here.

On October 27th, 2021, the “Final Rule” was announced by the FTC, implementing revisions proposed in the 2019 Gramm-Leach-Bliley Act “Safeguards Rule”, which required financial institutions to develop, implement and maintain a comprehensive information security program that complies with the Rule's requirements. The Final Rule has several additions including the expansion of the definition of “financial institution” to include “finders”, bringing together buyers and sellers of a product or service. You can access the article here.

China

China’s Draft Network Data Security Management Regulation was published for consultation on 14th November 2021. This draft includes approval and governance requirements for personal data controllers, organisations processing “important data” and operators of online platforms and e-commerce sites. If passed, the legislation may also have an impact on IT vendors to organisations in the cloud market. You can access this article here.

Lowenstein Sandler’s Peter Green on regulatory developments in China:

“Data protection regulation developments in China are important as more and more US-based managers diligence providers of consumer transaction and geo-location data from China. While the law in China has seemed less developed, it is “catching up.”

On the 29th October 2021 China’s Cybersecurity Administration released a draft of the Measures for Security Assessment of Cross-border Transfer of Data  for public consultation. This new legislation would help clarify certain cross-border data transfer restrictions under Cybersecurity Law, the DSL and the PIPL. The deadline for the public to submit comments on the Draft Measures is 28 November 2021. You can access this article here.

Europe

On the 18th November, 2021, the EDPB published a statement calling for EU legislators to implement stricter regulations on targeted advertising, and in favour of alternatives that do not require the tracking and profiling of internet users. You can access the article here.

As of the 23rd November, the International Organization of Securities Commissions (IOSCO) has recommended greater attention to ESG ratings and data products and the activities of their providers to potentially boost trust. Following a July 2021 consultation report on ESG data, the IOSCO have laid out recommendations for regulators, providers, users, and corporates. You can access the article here.

Following a GDPR breach fine of €225 million set by the Irish Data Protection Commission in September 2021, WhatsApp is making changes to the privacy policy in Europe. The fine was the second-largest GDPR fine, and WhatsApp has announced they will "add additional detail around our existing practices" to take effect immediately. You can access the article here.

UK

On the 10th November 2021, the UK Supreme Court announced its decision for the Lloyd vs. Google case restricting claimants’ ability to bring data privacy class actions in the UK under the Data Protection Act 1998 – which has now been repealed. This decision will have a knock-on-effect to similar class actions brought under UK GDPR and the Data Protection Act 2018. You can access the article here.