Welcome to this week’s Privacy XFN, curating the best reads at the intersection of data privacy and tech for better cross-functional outcomes. Coming in at just over 1,350 words, we’re looking at what President-elect Biden is likely to do on the data privacy front, an EU draft resolution that is raising privacy concerns, and more.

- The Transcend team

President-elect Joe Biden is likely to be tougher on the tech industry than former President Barack Obama when it comes to data privacy and other issues, according to pundits interviewed by NPR. In terms of data privacy, a Biden administration is likely to push for a national data privacy law along the lines of the California Consumer Privacy Act and the EU’s General Data Protection Regulation.


  • Antitrust: Biden is likely to keep up pressure on Google and other tech giants over antitrust issues.
  • Legal Liability Shield: Biden wants to repeal Section 230 of the Communications Decency Act, which grants tech companies a legal liability shield for content, because of their failure to police misinformation and hate speech.
  • China: Biden is likely to take a tough stance on China when it comes to data privacy and security.


A Council of the European Union draft resolution has stirred controversy because it reportedly contains a ban on end-to-end encryption due to concerns that terrorists are using it to hide their activities. However, an analysis by Tech Crunch concluded that the proposal recommends granting law enforcement “targeted” access to encrypted data, while upholding Europeans’ data privacy rights. How that would be accomplished is not altogether clear in the resolution’s wording.


  • The council sets the political direction of the EU, but the European Commission drafts legislation and regulation.
  • The draft resolution is scheduled to be presented to the council for adoption on Nov. 19.
  • The resolution calls on EU governments, industry, research institutes, and academia to work together to create a balance between law enforcement access and data privacy rights.


Apple is requiring third-party developers to detail their app’s privacy practices beginning Dec. 8 of this year. Developers will need to identify all of the data they or their partners collect, unless the data meets optional disclosure criteria. Prior to this, developers were encouraged to provide that information through Apple’s App Store Connect website, but it will now be mandatory.


To qualify for optional disclosure, the data collected must meet all of these criteria:

  • The data is not used for tracking purposes.
  • The data is not used for third-party advertising or your advertising or marketing purposes.
  • The data is collected in infrequent cases that are not part of your app’s primary function.
  • The user understands the purpose of the data collection and affirmatively chooses to provide the data each time.

Privacy Tech Disciplines Guide: Download our latest guide to working with privacy engineering disciplines, including how each technical role contributes to the success of your legal program.

Download now

The Indian government is considering personal data protection legislation that is based on the EU’s General Data Protection Regulation (GDPR). The legislation includes requirements for protecting consumer data, requiring a user’s consent before using personal data, data privacy audits for companies, rules for reporting data breaches, and establishment of a data privacy authority. The legislation is expected to pass parliament and be enacted by early next year.


  • Carnegie Endowment for International Peace India has criticized the data protection legislation for giving too much power to the government.
  • India’s new biometric ID system has raised data privacy and security concerns.
  • The Indian government is pressuring U.S. tech giants like Google, Facebook, and Amazon to store sensitive data on Indian residents locally.


A coalition of data privacy, consumer, and civil rights groups has released a privacy and digital rights blueprint for President-elect Biden’s administration. The blueprint includes proposed legislative and administrative action to prioritize and put in place privacy and data justice protections.


The blueprint urges the next administration to:

  • Affirm privacy, surveillance, and corporate concentration issues as critical racial justice issues
  • End the surveillance of Black and Brown communities
  • Protect the privacy of federal employees;
  • Eliminate bias and disparate impacts in government programs
  • Support action in Congress to enact effective privacy laws


U.S. consumers do not trust the way companies use, manage, and protect their personal data, according to a survey of 1,000 individuals by professional services firm KPMG. Ninety-seven percent of respondents said that data privacy is important to them, and 56% want more control over their personal data. A full 90% of respondents said that companies and governments have a responsibility to protect consumer data.


  • 87% of respondents to the KPMG survey said that they view data privacy as a human right.
  • 68% of respondents said they do not trust companies to ethically sell their personal data.
  • Transcend conducted a similar survey that found U.S. consumers are more likely to do business with companies that prioritize data privacy and are willing to spend more with these firms.


Four pilot programs in the U.K. and the regional government of Flanders have begun to test out the data privacy technology known as Solid, which was developed by Tim Berners-Lee and MIT. Solid is an open standard that enables users to share their data while retaining control of who can access the information. Solid uses encryption and granular access controls to allow users to grant or revoke access at any time to their personal data stored in its data structures.


  • Tim Berners-Lee is credited with having invented the World Wide Web.
  • The pilots are being run by four organizations working with start-up infrastructure provider Inrupt, which was founded by Berners-Lee and John Bruce in 2018.
  • Solid enables personal data to be independent from applications.


California lawmakers have amended the California Consumer Privacy Act (CCPA) to expand the patient data exemption to include research data and data handled by business associates. The amendment also harmonizes the act’s de-identification exemption with the federal Health Insurance Portability and Accountability Act (HIPAA).


  • CCPA exempted certain patient information from its requirements so as not to interfere with the federal HIPPA rules.
  • Among other measures, the CCPA amendment (AB 713) adds obligations even after patient data has been de-identified.
  • AB 713 is not affected by changes to CCPA made by Proposition 24.


HP printers are vulnerable to attackers who can get access to user data by exploiting security bugs, warned the Electronic Frontier Foundation (EFF). Security researcher Ang Cui showed how an attacker could gain access to HP printers by hiding malicious code inside a document and infecting the printer when it printed the document. Using this technique, Cui was able to harvest users’ Social Security and credit card numbers, probe the local area network, and penetrate the network’s firewall.

More from EFF:

  • Millions of HP printers are exposed on the public internet and vulnerable to remote attacks, warned Cui.
  • Attackers could not only steal user data but add printers to destructive botnets.
  • HP uses “security updates” to prevent users from using third-party ink cartridges.


In the massive shift to remote work, IT departments are trying to balance data security on BYOD devices with protecting the privacy of employees, observed Tom Tovar, CEO of Appdome. Mobile management platforms tend to be invasive when it comes to accessing data on BYOD devices. To solve the problem, companies should focus on encrypting data and building security into mobile apps, Tovar argued.  


  • Relying on pre-COVID BYOD security policies is no longer sufficient to protect companies or employee privacy, argues Steve Mancini, chief information security officer of Eclypsium.
  • A recent survey of 200 security professionals by Outpost24 found that they view BYOD as the number one wireless risk to their company.
  • The increase in BYOD use has caused a 90% spike in out-of-date devices attempting to access business apps, according to a study by Duo Security at Cisco.

Newsletter Launch Survey

As an early subscriber to Privacy XFN, we'd love to get some quick feedback from you, to help us make next week's newsletter even better.