Welcome to this week’s Privacy XFN, curating the best reads at the intersection of data privacy and tech for better cross-functional outcomes. Coming in at just over 1,100 words, we’re reporting on how the UK-EU deal outlines the UK's GDPR status, IBM launching FHE to boost data privacy in the cloud, and China's AV push raising privacy concerns. Enjoy!

—The Transcend team

The new EU-UK Trade and Cooperation Agreement, which took effect Jan. 1, codifies the arrangements for the UK to leave the EU, including the application of the General Data Protection Regulation in the UK. The accord continues a six-month bridge period during which the data transfers from the EU to the UK can continue as if the UK were still part of the EU.

More from Dechert:

  • An EU adequacy decision regarding the UK is expected to be issued before the end of the bridge period.
  • If an adequacy decision is not reached in time, data transfers from the EU to the UK will require additional safeguards.
  • Companies should determine whether they need to update privacy notices, internal policies, contracts, and other documents to account for the new data privacy regime. 



IBM Security has launched a new service that enables organizations to deploy fully homomorphic encryption (FHE) to boost data privacy in the cloud. FHE allows companies to keep data encrypted even when it is being analyzed in cloud or third-party environments. Using the services, customers can develop prototype applications using FHE. 


  • Gartner predicts that by 2025 at least 20% of organizations will have a budget for FHE projects, an increase from less than 1% currently.
  • FHE has been demonstrated at speeds of seconds per bit in certain research and field trials.
  • David Wu, a researcher at Stanford University, has described FHE as the "holy grail" because of its ability to encrypt data in the cloud and other data-driven environments.


A message from TRANSCEND

How much do you value your time?

Transcend delivers a full-stack solution to receive, manage and automatically fulfill data requests from your customers, freeing you to do high value work.

Leading companies trust Transcend to automatically and securely fulfill privacy requests without the need of a human.

Transcend automates your drudge work giving back the most important ROI – your time.

Get a demo on how we can fulfill your privacy requests in less than a minute.

Get a Demo

China's push to develop autonomous vehicles (AVs) raises data privacy and security issues for vehicle developers. Currently, China does not have laws regarding data privacy, but the government last year issued a voluntary personal information security specification that gives consumers more control over their personal data. This specification, along with other government rules, could restrict automakers' ability to collect data for AVs to function effectively.


  • The Chinese government is considering a comprehensive data privacy law that could have a significant impact on the collection of personal data by automakers.
  • China's national standard for automotive driving automation classification, which took effect Jan. 1, classifies autonomous driving levels according to the degree of input required from the driver to control the vehicle.


An easier way to understand California's new Privacy Rights Act (CPRA): A We've launched an online site, where you can search, share, and see amendments to the CPRA, Californias new law amending the California Consumer Privacy Act.

Check it out

Ascension Data and Analytics, a Texas-based mortgage data analytics firm, has agreed to implement a comprehensive data security program as part of a settlement with the Federal Trade Commission (FTC) regarding allegations that it failed to ensure the data security of a vendor. The FTC alleges that the vendor stored mortgage documents on an unsecured cloud-server in plaintext and that Ascension violated the Gramm-Leach-Bliley (GLB) Act in not overseeing the vendor's data security practices.


  • Ascension also agreed to undergo biennial assessments of the effectiveness of its data security program by an independent organization.
  • The GLB's Safeguard Rule requires financial firms to ensure vendors implement and maintain customer data safeguards by contract.
  • Joseph J. Lazzarotti with the law firm of Jackson Lewis advises organizations to implement a vendor management program to avoid running afoul of the FTC.


Microsoft has recently challenged three U.S. government secrecy orders intended to get access to enterprise data without informing the customers. In two cases, the government withdrew its secrecy orders when challenged in court. In a third case, which is ongoing in New York, the company received support from Amazon, Apple, Google, 36 former federal prosecutors, news organizations, and industry associations.


  • In 2017, the Department of Justice (DoJ) issued best practices for law enforcement when seeking enterprise customer data held by cloud service providers.
  • Among other things, the DoJ recommended that law enforcement seek the data needed for an investigation directly from the enterprise rather than from the cloud service provider.
  • The FBI has used secrecy orders extensively to collect personal data from companies. 


Singapore police will be able to get access to data collected by COVID-19 contract tracing for criminal investigations, according to a senior government official. This is a reversal of the government privacy policy announced when it launched its TraceTogether app in March and has raised concerns among privacy advocates. 


  • The TraceTogether app is used by nearly 80% of Singapore's population.
  • TraceTogether was the first major Bluetooth contact tracing app unveiled in the spring of last year.
  • Contract tracing, which was once voluntary, is now mandatory in Singapore.


Instant data access, intuitive controls, clear and simple policies, and ubiquity are the fundamental building blocks of what the future of data privacy looks like, according to Ben Brook, co-founder and CEO of Transcend. Most companies and individuals want a "simple and robust" way forward on data privacy, he says.


  • Brook stresses that data transparency and control are keys to building consumer trust.
  • "We believe granting your users modern data rights today is good business, plain and simple," says Brook.
  • A failure to protect data privacy can lead to harmful consequences, such as behavioral manipulation, mass surveillance, and social and economic inequality, he warns.


  • WhatsApp is giving its users an ultimatum—share data with Facebook or stop using the app, as covered by Ars Technica. 
  • Ten percent of consumers know very little about what is happening to their personal data, according to a survey of 5,000 individuals in five countries by Publicis Sapient.
  • Google has not updated its iOS apps since early December but has updated its Android apps, suggesting an effort to avoid providing information for the App Store's new privacy labels, according to Apple Insider.
  • China's proposed data privacy law includes protections for personal biometric data (paywall).
  • For your eng. team: Transcend's DevOps team makes a case for using Terraform open-source modules.

As an early subscriber to Privacy XFN, we'd love to get some quick feedback from you, to help us make next week's newsletter even better.

Provide Feedback

Privacy XFN is delivered to your inbox every Thursday morning and is sent by Transcend. We're an engineering company that makes it simple for companies to give their users control over their personal data. Learn more.