Welcome to this week’s Privacy XFN, curating the best reads at the intersection of data privacy and tech for better cross-functional outcomes. Coming in at around 1,200 words, we’re reporting on the EU issuing a draft UK data adequacy ruling, Microsoft's CEO comments on global privacy, the U.S. Treasury questioning government purchase of location data without a warrant, and more.

​​​​​​One more thing—if you're an engineer working on privacy, be sure to catch the recording of our privacy_infra()event last week, with talks on E2EE from Signal and Zoom, and building privacy into nuclear engineering. Watch it here.​​​​​

—The Transcend team

The European Commission issued a draft adequacy decision for data flows between the EU and the UK in the aftermath of Brexit. The commission concluded that the UK ensures an adequate level of protection for personal data transferred from the EU to the UK.


  • If the adequacy decision is formally adopted, personal data can flow between the EU and the UK without the need for standard contractual clauses or binding corporate rules.
  • The next step to adoption is an opinion issued by the European Data Protection Board and approval by a committee of EU member state representatives.
  • Until the European Commission formally adopts the adequacy decision, personal data flows between the EU and the UK will be governed by a six-month interim regime agreed to in the EU-UK Trade and Cooperation Agreement signed last December.


Microsoft CEO Satya Nadella said he supports harmonizing global data privacy rules, during a speech at the Bio Asia 2021 conference held in India earlier this week. He said the data privacy rules should be global in nature, like food and drug safety laws.


  • Nadella said that the EU's General Data Protection Regulation was the first set of broad data privacy rules, which are now being adopted in many other countries.
  • The Microsoft CEO said that privacy is a "human right" that should be protected globally. 
  • Nadella urged companies to design and build products with user privacy in mind.


A recent Treasury Department Inspector General report concluded that a 2018 Supreme Court case may prohibit warrantless location tracking using data from apps. This interpretation has implications for government and law enforcement agencies that buy and use cellphone GPS data from mobile apps without getting a warrant.

More from the report:

  • The Supreme Court case referred to in the report is Carpenter v. the United States, in which the court ruled that warrants must be obtained by law enforcement to get location data from wireless carriers.
  • The report was prepared in response to a congressional inquiry about the IRS's use of a database containing location information of cellphone users supplied by Venntel.
  • The inspector general identified eight web-based subscription contracts that the IRS has in place that could cover cellphone data and might require a warrant.


Privacy Tech Disciplines Guide: Download our guide to working with privacy engineering disciplines, including how each technical role contributes to the success of your legal program.

Download Now

The European Data Protection Supervisor (EDPS) is recommending that targeted advertising based on tracking users' online activity be banned. The EDPS made the recommendation as part of comments regarding the proposed Digital Services Act, which seeks to standardize rules for online businesses.


  • The Digital Services Act and the Digital Markets Act were proposed by the European Commission in December.
  • The EDPS also said that profiling for content moderation should be prohibited unless the online service provider can demonstrate that profiling is needed to address systemic risks.
  • Critics argue that the EDPS is only considering the data privacy issues regarding targeted advertising rather than how the technology is being used in modern business. 


Mozilla has added a privacy feature to its Firefox 86 browser that prevents web trackers from keeping tabs on browsing activity. The Total Cookie Protection feature blocks cookies from being used to track users from site to site. 


  • Total Cookie Protection is built into Firefox's Enhanced Tracking Protection (ETP) Strict Mode.
  • The feature maintains a separate “cookie jar” for each website; the cookie is confined to the cookie jar assigned to that website and can't be shared with any other websites.
  • Separately, Google is adding a privacy feature to Chrome for iOS that enables users to lock their opened Incognito tabs using their iPhone's Face ID or Touch ID authentication tool.


An unidentified user was able to breach the popular Clubhouse audio-chatroom app and stream audio feeds to a third-party website. Clubhouse said it has permanently banned the user and put in place safeguards to prevent it from happening again. 


  • “Clubhouse cannot provide any privacy promises for conversations held anywhere around the world," Alex Stamos, director of the Stanford Internet Observatory, told Bloomberg.
  • Clubhouse uses a Chinese startup called Agora to handle its back-end operations, so data traffic is processed in China.
  • Earlier this month, Clubhouse said it would review its data privacy policies and add data encryption.


North Dakota is considering a data privacy bill (HB 1330) that would require businesses to get user consent before selling protected data to third parties. Protected data includes user location, screen name, shopping habits, and browsing history. 


  • "People need some level of protection from having all of our personal information being sold to the highest bidder," the bill's sponsor, Tom Kading (R), told the Grand Forks Herald.
  • The state's House Industry, Business and Labor Committee has recommended against passage of the bill.
  • North Dakota joins a number of other U.S. states in considering data privacy legislation, including Virginia, New York, Florida, Minnesota, and Washington.


In other news...
  • Politico EU's top story this morning covers claims that whistleblowers were forced out of Amazon after flagging problems with data security and compliance.
  • Workers will face data privacy risks from COVID-related technology being deployed in the workplace, according to experts consulted by AFP.
  • A Georgia bill requiring phone service providers to disclose on-demand location of customers to law enforcement lacks privacy safeguards, warns the ACLU of Georgia.
  • Keybase has fixed a security bug in its secure messaging client, which stored image content in the cache in cleartext.
  • Telegram for Windows has been updated with a new privacy feature that provides better control over user data.
  • The Lean Data Diet has helped Wikipedia improve data privacy, volunteer engineer Nuria Ruiz explained at a recent privacy_infra() engineering meetup hosted by Transcend.

An easier way to understand California’s Privacy Rights Act (CPRA): We’ve launched an online site, where you can search, share, and see amendments to the CPRA, California’s new law amending the California Consumer Privacy Act.

Check it out

Privacy XFN is delivered to your inbox every Thursday morning and is sent by Transcend. We're an engineering company that makes it simple for companies to give their users control over their personal data. Learn more.