Privacy XFN

Welcome to this week's Privacy XFN, curating the best reads at the intersection of data privacy and privacy tech. This week we’re covering the IAB's expected GDPR violation, Australia's efforts to reform its privacy law, the privacy views of President Biden's FTC nominee Alvaro Bedoya, and much more.

—The Transcend team

The Interactive Advertising Bureau (IAB) Europe expects its Transparency and Consent Framework (TCF) will be found to have violated GDPR. In Oct. 2020, Belgium's data protection authority (APD) said in a preliminary report that TCF failed to obtain explicit consent before processing sensitive information such as health information and political affiliation. The critical determination the APD will have to make is if IAB Europe is a data processor or data controller. If it's classified as a controller, this means it decides how data is used. As a processor, it doesn't own the data it collects.


  • IAB Europe doesn't consider itself to be a controller since it doesn't decide how data collected via TCF is used.
  • The APD's draft ruling will be shared with its European counterparts, who have 30 days to review and contest any findings.
  • If other regulators agree with the APD's ruling, IAB Europe will have six months to comply.
  • If they disagree with the APD's decision, the European Data Protection Board will make the final decision.


In September, President Biden nominated Georgetown law professor Alvaro Bedoya to become one of the FTC's five commissioners. In his writings, Bedoya has expressed his belief that privacy is a civil right and has criticized the disproportionately negative impact data collection and tracking has had on marginalized communities.


  • In 2016, Bedoya and his colleagues published a report that revealed facial recognition programs have had a harmful impact on people of color.
  • He added that there are a limited number of measures in place to ensure the databases are accurate and the programs aren't being misused.
  • Data privacy is expected to play a more prominent role in any antitrust enforcement actions (especially on consumer protection issues) the FTC takes once the Senate confirms Bedoya.

The Australian Attorney General says the country should amend the definition of "personal information" in its 1988 Privacy Act to include online identifiers and technical data in a new discussion paperThe paper recommends introducing a "fair and reasonable" requirement that mandates companies only collect personal information they need and ensure it isn't used to harm an individual.


  • Consent must be obtained in a manner that's "voluntary, informed, specific and current."
  • The paper also recommends giving users choices ("pro-privacy defaults") to eliminate dark patterns.
  • Companies would have to be transparent when collecting data to influence an individual's behavior.
  • More from down under: Clearview AI has been ordered to delete its facial recognition data after it violated Australia's federal privacy law. 


Meet with Transcend, get an Amazon gift card: Interested in seeing how Transcend can help transform your data privacy operations? Take a quick call with one of our team, and we'll send you a $100 Amazon gift card for your time.

Book now
China's Personal Information Protection Law (PIPL) will have a significant domestic and international impact, writes Matt Burgess of Wired. Foreign firms that fail to comply with the law could be blacklisted, which could lead to retaliatory action. In recent days, both Linkedin and Yahoo left China just as the PIPL went into effect on Nov. 1.


  • While the PIPL does have many similarities with GDPR, Burgess says that China will be more aggressive than the EU in enforcing the laws.
  • Burgess notes the law doesn't block the Chinese government from accessing the personal information of citizens, who are still "some of the most surveilled and censored" people on Earth.
  • Privacy experts say western laws are designed to protect consumers, but the PIPL is there to protect China's national security interests.
  • They have expressed concerns that other Asian countries such as India and Vietnam could implement similar laws.


Privacy-focused firms have experienced a spike in users this year as consumers look for an alternative to Google and Facebook. ProtonMail CEO Andy Yen says his company will have 75 million by the end of December, up from 50 million in June. Yen attributed the rise in users on increasing authoritarianism and privacy threats.


  • DuckDuckGo was downloaded over 50 million times between June 2020-June 2021, a 55% increase year-over-year.
  • Brave's monthly active user base has risen from 18.3 million in August 2020 to 36.2 million.
  • In August, Telegram surpassed one billion downloads.
  • Yen targets Apple: The ProtonMail CEO accused the tech giant of prioritizing profits over privacy.


Peloton says Apple's recent privacy changes will increase customer acquisition costs as they impede its ability to track users. In its latest earnings report, Peloton reduced its annual revenue forecast by $1B.


  • Facebook, Snap, Twitter, and YouTube are expected to lose a combined $10B in revenue due to the changes.
  • Some firms say they're safe: Airbnb said its revenue hadn't been impacted.
  • Facebook is using device accelerometer data, available to all app publishers, to track users' movements even if they've opted out of targeted advertising and location tracking.


The U.K's Information Commissioner's Office (ICO) warned against weakening end-to-end encryption (E2EE) but said extra steps should be taken to ensure it doesn't enable unlawful behavior. The ICO said most online communication providers should employ (E2EE)The public body acknowledged that E2EE isn't always required but said firms must have a "strong justification" for not using the technology.


  • The U.K. is among multiple governments that have argued E2EE protects individuals and groups that carry out criminal activity.
  • Last year, the U.K. government said tech companies should use E2EE to crack down on harmful content and let law enforcement access private messages once they've received permission.
  • The government introduced its Online Safety Bill earlier this year, which requires social media firms to ensure users aren't shown hate speech or disinformation.


In other privacy news:
  • The Consumer Financial Protection Bureau is investigating how tech giants such as Amazon, Apple, and PayPal handle payment data.
  • Apple's senior vice president Craig Federighi warned iOS would be flooded with malware if sideloading apps were allowed.
  • 38 apps from multiple Chinese companies, including Tencent, were told to rectify their business practices after they were found to have collected too much personal data.
  • The Justice Department charged two men for their involvement in July's ransomware attack on IT firm Kaseya and recovered $6M worth of payments.
  • An Irish High Court ruled that WhatsApp can challenge a €225M ($261M) fine it received in August from the country's Data Protection Commission over GDPR violations.
  • U.S. Trade Representative Katherine Tai said tech giants have an obligation to protect consumer privacy.

A conversation on privacy that delights: Transcend's Ben Brook sat down with the Experience by Design podcast to discuss all things privacy, security, how Transcend helps companies, and approaching user data control as a moment for brand building and trust.

Listen now

Privacy XFN is delivered to your inbox every Thursday morning and is sent by Transcend. We're an engineering company that makes it simple for companies to give their users control over their personal data. Learn more.