Alternative Data and Its Legal Issues

Such information is now being used to inform investors of various trends that can potentially help them make better trades. These newer forms of data procurement must be implemented in ways that conform with local and global legal regulations.  

Alternative Data Types

Part of the challenge in regulating alternative data usage is that the sources of such data continue to expand at a very rapid pace. Some types of alternative data include:

• Satellite imagery
• GPS and geolocation data from phones
• Website scraping, especially in the healthcare and travel industries
• Credit card tracking
• Product “trending” data on social media outlets such as Instagram
• Data gathered from sensors and computers in cars
• Emailed receipts
• Shopping habit data
• Shipping, supply, and point-of-sale data

The usefulness of this type of data for investment firms does not lie in the actions or details of single individuals; instead, firms are looking for broad demographic trends that are based on the aggregate of the data sets. Even still, there are some concerns regarding the privacy and confidentiality of personal information gathered from alternative data sources. 

Alternative Data and Privacy Concerns

In order to violate insider trading rules, an individual needs to take action on material, nonpublic information that is received in violation of an existing duty to keep the information confidential. For the most part, data gatherers typically obtain permission to sell data, often via the terms and conditions users are often required to agree to regarding the use of the information . 

However, this alone may not be sufficient to protect against privacy intrusions. Some key safeguards that funds can take to help prevent privacy intrusions include:

• Anonymizing data (scrubbing personally identifiable information from data sets)
• Using the data in aggregated forms
• Greater focus on overall reporting transparency
• Clarification of personal data usage
• Clear terms and conditions for users

Funds should be especially cautious when entering into exclusivity agreements with information providers, as these can have effects on the “nonpublic” aspect of the information. Still, there are few legal precedents in this area, and standards for regulation are different between countries and even between U.S. states. 

EU General Data Protection Regulation

Perhaps the most significant response to the privacy concerns associated with alternative data collection is the EU General Data Protection Regulation (GDPR). The GDPR is set to come into force across the EU on May 25, 2018. The regulation will harmonize existing data protection laws in EU, including U.K. regulations (notwithstanding Brexit). 

The GDPR will shift the current regulatory focus from the organizations utilizing data to the individuals whose data is being used. It applies to the use of any personal data arising in connection with:

• The offering of goods or services to individuals located in the EU
• Monitoring of EU individuals’ behavior

Some main points addressed by the GDPR include:

• Consent Mechanisms: It will be more difficult to obtain consent from individuals for processing their data under the GDPR. Users will be required to clearly provide their affirmative consent through website checkboxes, and businesses collecting the data must clearly explain how the data will be used. Individuals can withdraw consent at any time.
• Age: The GDPR will raise the age of consent for data collection. EU jurisdictions can set the age of consent for collection between 13 and 16, with the consent of a legal guardian required for users younger than 13.
• Processor Location: Worldwide businesses cannot evade application of the GDPR by locating processor operations or equipment outside of the EU.
• DPOs: Data processors that processes a significant amount of data, or which handle sensitive data, may need to appoint a data protection officer (DPO). This person will be responsible for monitoring the data processing activities of the organization, and for ensuring compliance with the GDPR.
• Responses to Data Breaches: The GDPR requires data breaches to be reported to the relevant regulator as soon as possible (within 72 hours of identification of the breach). However, breaches that are not likely to result in risks to individuals need not be reported.

Sanctions for GDPR breaches will be significantly stricter than existing regulations. Breaches may result in fines ranging from 2 to 4 percent of the annual worldwide turnover of the relevant business. Depending on the nature of the breach, this can translate to €10 million to € 20 million in minimum fines. 

Global businesses which gather and process data on any EU-based individuals should:

• Evaluate any data processing agreements to ensure that they comply with GDPR requirements, especially those dealing with the obligations of data controllers and processors
• Understand the new GDPR framework fully
• Carefully monitor processes by which information gathered from EU data subjects is transferred outside of the region

The Future of Alternative Data

Alternative data will eventually become a basic aspect of portfolio management; data sources that are currently considered novel will be replaced by new forms of data and new information sources. For now, funds and other institutions should approach the use of such data with caution. They should also ensure that they are in compliance with new regulations such as the GDPR which will set the tone for data privacy regulation in the near future.

As creative uses for data continue to grow, the legal framework for protecting shareholder rights will also need to evolve. For more information regarding issues such as alternative data and its legal concerns, contact us today at Kessler Topaz. Our team of attorneys is skilled at transforming economic and financial data into compelling advocacy leading to significant recoveries for our clients.