Privacy XFN

Welcome to this week’s Privacy XFN, curating the best reads at the intersection of data privacy and tech for better cross-functional outcomes. Coming in at just over 1,200 words, we’re covering U.S. and E.U. negotiators ramping up talks to replace the Privacy Shield, the FTC offering to protect privacy if Congress balks, EU regulators probing social media data leaks, and more.

📅Last chance to register: Today at 10am PT The New York Times joins our privacy engineering virtual meetup privacy_infra() to outline how they built a technical system to support the privacy of their readers. Plus, privacy-preserving ways for events & business to confirm COVID-19 vaccinations. Save your spot here.

—The Transcend team

U.S. and E.U. negotiators have intensified discussions on how to replace the Privacy Shield agreement struck down by the European Court of Justice in July 2020. However, the delay in negotiations has prompted some companies to include uncertainty about transatlantic data flows in their risk factors for 2021.


  • Companies such as QVC and ViacomCBS are adding investor warnings in their quarterly Securities and Exchange Commission reports about the revenue risks from the delayed talks.
  • The ambiguity over the Privacy Shield replacement makes investor warnings necessary, explained Justin Antonipillai, who co-led the U.S. negotiating delegation that reached the Privacy Shield accord.
  • European officials have cautioned that it could be years before a new agreement is reached.


Federal Trade Commission (FTC) members agreed that they should act to protect consumer privacy rights if Congress does not pass legislation protecting those rights. The commissioners told a Senate Commerce Committee hearing that the FTC should fill in gaps in enforcement of consumer privacy rights if no federal law is forthcoming.


  • Commissioner Christine Wilson, a Republican, testified that the FTC has authority under Section 18 of the FTC Act, known as the Magnuson-Moss rulemaking, to provide rules protecting consumer privacy.
  • Commissioner Rohit Chopra, a Democrat who is President Biden's pick to head the Consumer Financial Protection Bureau, supported the FTC moving head with rulemaking around data security and privacy.
  • Currently, there are a number of state privacy laws and many state bills proposing to guarantee privacy rights.


European regulators are taking a hard look at recent data leaks by Facebook, LinkedIn, and Clubhouse that involved scraping data from public user profiles. The companies have stressed that the data leaks were not the result of security breaches. But the leaks could still run afoul of the EU's General Data Protection Regulation, according to data privacy experts.


  • “It’s not simply about whether it’s public or private. It’s about whether there are safeguards in place around [the data’s] processing and its use,” Daragh O Brien, managing director at Irish consulting firm Castlebridge, told the Wall Street Journal.
  • “You need justification for any processing, be it publicly available information or other data sources,” Peter Hense, a partner at German law firm Spirit Legal, told the newspaper. 
  • The Irish data protection commissioner has launched a probe into the Facebook leak, while the Italian data protection agency is investigating the LinkedIn leak and the French regulator is examining Clubhouse. 
  • For its part, Facebook is trying to spin the data scraping breach as "normalized" activity and a "broad industry issue," according to an internal email obtained by a journalist.


Calculate the cost of privacy: Try our new Privacy Request Cost Calculator to understand the costs of your privacy program, and to bring hard numbers to your next strategy conversation.

Try it out

WordPress said it will consider Google Chrome's new Federal Learning of Cohorts (FLoC) tracking technology as a security risk and could block it by default on its websites. WordPress plans to block FLoC using code that causes the platform to issue an HTTP request header telling the browser that the tracking technology should be disabled.


  • FLoC is intended to replace third-party cookies by enabling businesses to target ads by clustering large groups of people with similar interests.
  • Chromium-based browsers, including Mozilla, Edge, Brave, and Vivaldi, have declined to use FLoC.
  • The Electronic Frontier Foundation argues that FLoC could enable "discrimination and predatory targeting."


A message from TRANSCEND

How much is your company's privacy request program really costing?

Informed by real-world ROI modeling, our free calculator breaks down the variable, fixed, and unpredictable costs of manually processing GDPR & CCPA privacy requests.

Plus, get a customizable spreadsheet to model your company's specific scenario, and a free guidebook to help guide more strategic privacy conversations.

The European Commission has released its proposal for harmonized regulation governing artificial intelligence (AI) systems. The risk-based regulations will affect providers and users of AI systems both in the EU and in other regions. 

The proposed regulations would prohibit the following:

  • AI system that uses subliminal techniques to distort a person's behavior to cause physical or psychological harm;
  • AI system that exploits vulnerabilities of specific groups of people to cause physical or psychological harm;
  • AI system used by public authorities to evaluate or classify the trustworthiness of people resulting in unfavorable treatment;
  • Real-time remote biometric identification, such as facial recognition systems, used in public spaces for law enforcement purposes.


Civil liberties groups are appealing to the U.S. Supreme Court to provide public access to decisions by the Foreign Intelligence Surveillance Court, which reviews requests for bulk email and phone data collection and other surveillance activities. They also argue that federal courts, not the executive branch, should decide when decisions that affect the privacy of millions of Americans should be available to the public.


  • The groups involved in the appeal are the American Civil Liberties Union and the Knight First Amendment Institute at Columbia University.
  • “You’re talking about judicial decisions here that may affect millions of people. The public needs to know the outlines of what those decisions are and how far they go," Theodore Olson, a member of the Knight Institute's board, told AP.
  • The Foreign Intelligence Surveillance Court was set up in 1978 to enable the FBI to eavesdrop on suspected terrorists and spies, and its surveillance powers were expanded after Sept. 11, 2001.
  • Legislation passed in 2015 required the government to consider releasing the court's decisions to the public, but it left it to the executive branch to decide on which decisions to release.


The Massachusetts Institute of Technology (MIT) has launched an initiative that examines AI-driven analytics and attitudes toward personal data. The MIT Future of Data, Trust, and Privacy program will focus on expert collaboration in five technical areas: database systems, applied cryptography, AI and machine learning, data portability and new information architectures, and human-computer interaction.


  • The initiative will provide forums for MIT researchers, policymakers, and industry consortium members to discuss the latest research and policy implications.
  • One of the initiative's goals is to reduce the time between the development of new software systems and new policies to deal with the technology, explained Daniel Weitzner, a founding director of the MIT Internet Policy Research Initiative.
  • MIT wants to work with industry in developing new privacy-preserving tools, Weitzner related.


In other privacy news...
  • An Australian judge has ruled that Google misled Android users about the collection of their location data, a violation of Australian privacy law.
  • Aleo, a data privacy platform startup, has raised $28M in funding led by a16z with participation from Placeholder VC, Galaxy Digital, Variant Fund, and Coinbase Ventures.
  • A coalition of nearly 70 groups is urging the Department of Homeland Security to end its relationship with Clearview AI, a facial recognition firm that scapes images from social media sites.
  • The Chinese government has unveiled new regulations clarifying the collection of personal information on mobile apps, which come into force May 1.
  • From the Transcend team: We've been busy building new integrations for automated privacy request fulfillment. Here are some of the highlights.

​​​​​​Curious how Transcend solves privacy compliance pain points? In this short on-demand demo, Transcend CEO Ben Brook walks through how we can help improve your privacy ROI with scalable, secure, and future-proof privacy infrastructure.

Watch Now

Privacy XFN is delivered to your inbox every Thursday morning and is sent by Transcend. We're an engineering company that makes it simple for companies to give their users control over their personal data. Learn more.