Privacy XFN from Transcend

Welcome to this week’s Privacy XFN, curating the best reads at the intersection of data privacy and tech for better cross-functional outcomes. And it's been a busy week! Coming in at around 1,300 words, we’re reporting on Brazil’s data regulator laying out its plans for 2021-2023, a new study on consumer privacy habits, U.S. firms urging Australia to embrace GDPR, and plenty more in Quick Links (our longest yet!)

One more thing—a reminder of our first Privacy_Infra() privacy engineering meetup of 2021 next Thursday February 18, including talks from Signal Messenger and Zoom on how they implemented E2EE. Register here.

—The Transcend team

The Brazilian National Data Protection Authority (ANPD) has laid out its plans and strategy for 2021-2023. The three main objectives for the period are to promote a data protection culture in Brazil, establish an effective data protection regulatory environment, and improve its ability to operate according to the rules laid out in the Brazilian data protection regulation (LGPD).


  • The ANPD plans to draft rules for small and medium-sized businesses, enforcement and calculation of fines, notification of data breaches, data protection impact assessments, and data protection officers.
  • The ANPD was set up in December 2018 to implement LGPD.
  • The Brazilian Supreme Court is considering a case that could define what the LGPD's right to be forgotten means. 


More than 83% of consumers said they were "proactive" about their data privacy, yet many did not know what basic data security precautions to take. Close to two-thirds of respondents said they would share personal data with an app to access services, according to a survey of 1,000 U.S. and U.K. individuals by U.S. identity management company Entrust.

More from the Entrust survey:

  • 43% said they do not carefully review the terms and conditions before downloading a new app.
  • 83% said they are comfortable with using or storing biometric data with apps and services.
  • 64% said their concern or awareness about data privacy has increased over the past 12 months.


The Irish Council for Civil Liberties found, through freedom-of-information requests, that the Irish Data Protection Commission (DPC) has not updated its IT system to handle implementing the EU's General Data Protection Regulation (GDPR). Many U.S. tech firms have their European headquarters in Ireland and thus are subject to the Irish regulator when it comes to GDPR enforcement.


  • Graham Doyle, the deputy commissioner at the DPC, admitted that the IT system was "dated" but noted that new core parts of the system will be rolled out in the second quarter of 2021. 
  • Under the GDPR one-stop-shop model national regulators handle GDPR implementation for companies with their main headquarters within their national boundaries.
  • However, the one-stop-shop model is being challenged. As we reported last month, the Belgian regulator took action against Facebook over its use of cookies, even though Facebook's main European headquarters is in Ireland.


Privacy eng. insights from Signal, Zoom, and more:  Join our first Privacy_Infra() meetup of 2021 next Friday February 18 from 10am, with tech talks from Signal Messenger's VP of Engineering, Zoom, and UC Berkeley. 

Register now

Facebook and Snap are requesting that the Australian government implement elements of the EU's General Data Protection Regulation (GDPR) when it updates the country's Privacy Act of 1988. The Attorney General is reviewing the Privacy Act as part of an effort to update the 30-year-old law and has called for public comments.


  • In its submission, Facebook argued that a global privacy framework is needed to avoid splintering privacy protections into many different national rules. 
  • In its submission, Snap urged the government to draw on the strengths and lessons learned with the GDPR in Europe.
  • The Attorney General has received more than 100 comments from companies, privacy groups, and other organizations as it considers revisions to the Privacy Act.


New York Governor Andrew Cuomo is proposing a Consumer Data Privacy Bill of Rights to provide a comprehensive data privacy framework. The bill of rights would guarantee New Yorkers the right to access, control, and erase their data, the right to nondiscrimination from providers for exercising these rights, and the right to equal access to services.

More from Cuomo:

  • The proposal would require companies that collect data on a large number of New Yorkers to disclose the purposes of the collection and only collect what is needed for those purposes.
  • Cuomo's proposal would also protect sensitive categories of personal data including health, biometric, and location data.
  • It would also create strong enforcement mechanisms to hold companies accountable for the illegal use of consumer data.



Canadian regulators ruled that New York-based Clearview AI violated federal and provincial privacy laws by offering its facial-recognition services in the country. The regulators determined that Clearview AI collected sensitive biometric information without the knowledge or consent of millions of Canadians. 


  • Clearview AI scrapes photos from the internet, uses algorithms to search those photos, and sells its service to law enforcement, including the Royal Canadian Mounted Police.  
  • The Canadian agencies that investigated Clearview AI's practices included the Office of the Privacy Commissioner of Canada, the Commission d'accès à l'information du Québec, the Office of the Information and Privacy Commissioner for British Columbia, and the Office of the Information and Privacy Commissioner of Alberta.
  • In response to the ruling, Clearview AI has stopped offering its facial recognition services to Canadian clients and collecting images of individuals in Canada, and it deleted previously collected images and biometric facial arrays of individuals in Canada.
  • Last year, Clearview AI agreed to stop selling its facial recognition service to private companies. 


The Department of Homeland Security (DHS) granted $198,600 to AppCensus, a California-based startup, to develop a platform to assess the security and privacy risks posed by COVID-19 contact tracing apps. AppCensus currently runs a platform for testing the security and privacy of mobile applications. 

More from DHS:

  • AppCensus is the first of six startups to get a phase 1 award under DHS's Silicon Valley Innovation Program (SVIP) Emerging Needs: COVID-19 Response & Future Mitigation solicitation.
  • With the funding, AppCensus will adapt its platform to develop an on-demand, automated mobile-app testing system for publicly available Android and iOS contact tracing apps.
  • AppCensus will also provide a free public microsite with results of the digital contact tracing app security and privacy testing.


Quick Hits:
  • The Virginia legislature is expected to approve this week the Virginia Consumer Data Protection Act, which has similar provisions to the California Consumer Privacy Act.
  • The Electronic Frontier Foundation is urging President Biden to abandon efforts by the previous administration to require a law-enforcement backdoor in encryption products.
  • Security researchers are alleging that Facebook Messenger and Instagram collected and used data from link previews in a way that violated the EU's ePrivacy Directive.
  • An IRS lawsuit against James Harper could have implications for the privacy rights of cryptocurrency users.
  • Here's a useful resource for privacy practitioners—Danielle Keats Citron and Daniel J. Solove on more clearly defining privacy harms.
  • WireWheel, an Arlington, Va.-based data privacy startup, has raised $19.3M in venture funding led by ForgePoint Capital.
  • LiveRamp has agreed to acquire DataFleets, a startup that uses the cloud to securely merge and analyze data while protecting privacy, for $68M.

An easier way to understand California’s Privacy Rights Act (CPRA): We’ve launched an online site, where you can search, share, and see amendments to the CPRA, California’s new law amending the California Consumer Privacy Act.

Check it out

Privacy XFN is delivered to your inbox every Thursday morning and is sent by Transcend. We're an engineering company that makes it simple for companies to give their users control over their personal data. Learn more.