Welcome to this week’s Privacy XFN, curating the best reads at the intersection of data privacy and tech for better cross-functional outcomes. We’re covering the potential ramifications of WhatsApp's ongoing legal battle with the Indian government, the U.S. Supreme Court rules on data scraping, and more. ​​

New this morning: Sen. Kirsten Gillibrand is introducing a revised version of her 2020 Data Protection Act that calls for a new federal privacy agency.

And one more thing: We presented at the PEPR privacy engineering conference late last week on how Transcend has engineered a consent sandbox to eliminate annoying pop-ups and dark patterns. Watch the talk here, and reach out if you'd like to join the early beta.

—The Transcend team

Privacy advocates say WhatsApp's legal battle with the Indian government could define how tech companies protect user data. In a lawsuit filed last month, WhatsApp says complying with India's new IT laws would force it to break end-to-end encryption. The company says this would threaten user privacy as it would be forced to collect data from its 500 million Indian users.


  • Experts have said WhatsApp won't withdraw from India—its largest market—but could break end-to-end encryption and begin collecting user data in the Asian nation alone.
  • WhatsApp launched a major advertising campaign after receiving widespread backlash to its recent privacy policy changes.
  • Not the only global headaches: An EU court ruled that WhatsApp's parent company Facebook could face privacy challenges from any country in the Union, not just the lead regulator in Ireland.


Luxembourg's data-protection commission, CNPD, says Amazon should be fined over $425M for violating Europe's General Data Protection Rules (GDPR).  The allegations are related to Amazon's data collection and usage policy, but details of specific violations haven't been revealed. The tech giant has repeatedly said it prioritizes the privacy of its customers and adheres to local laws.


  • Under GDPR, companies are obligated to seek permission from individuals before they use their data, or else they could be penalized.
  • The $425M fine accounts for 2% of Amazon's 2020 profit and 0.1% of its revenue. GDPR gives regulators the authority to issue fines of up to 4% of a company’s annual revenue.
  • What's next: Other EU privacy regulators must agree with the CNPD's decision before its finalized. This process could take months and lead to a higher or lower fine.


A message from TRANSCEND

What's really involved in building a privacy request system in house?

In this guide, we provide a breakdown of the essential elements to build an automated privacy request workflow, with advice from our experts who build these systems for a variety of multinational companies.

Also included: The six key questions you should have answers for before you start to guide your cross-functional conversations.

Get the guide

The U.S. Supreme Court sided with LinkedIn, giving it another opportunity to block competitor hiQ Labs from scraping personal information from its users’ public profiles. LinkedIn has long said the move violates the privacy of its users. At the heart of the issue is the Computer Fraud and Abuse Act (CFAA), which says that permission must be obtained before a computer can be accessed.


  • In 2019, a lower court rejected LinkedIn's argument that the CFAA blocks companies from harvesting data that's publicly available on the internet.
  • Earlier this month, in a separate case, the Supreme Court ruled it's not considered a violation of the CFAA if an individual improperly accesses data from a computer they have permission to use.
  • What's next: The Supreme Court declined to pick up the case and ordered the lower court to re-evaluate its decision given the recent ruling.


Consent Management, Reinvented: Existing consent managers are broken. They only regulate 3rd party scripts – leaving your company non-compliant, and users with a terrible experience. So, we reinvented how they work—want to join as a beta partner?

Get early access
Google will work with the U.K's Competition and Markets Authority (CMA) and Information Commissioner’s Office (ICO) to improve online ad targeting. The collaboration comes as Google looks to replace third-party cookies with Privacy Sandbox within the next year.


  • While Google says the move is designed to strengthen user privacy, others have expressed concerns it will weaken competition and make the tech giant more powerful. 
  • There are also questions about if Privacy Sandbox complies with Europe's GDPR. It's also facing concerns from privacy regulators in the U.S.
  • Google has pledged to be transparent with its plans and won't do anything to give itself an unfair advantage. It also won't merge user data with its ad products.
  • The CMA is satisfied with Google's pledges but will open a public consultation before they become legally binding.

The Verge

Chinese regulators have ordered social and e-commerce platforms to eliminate spy camera tutorials and vulnerable cameras from their platform or face serious consequences. The move comes as China strengthens its enforcement of privacy laws.


  • Spy cameras have become ubiquitous in China recently, and tutorials showing how they can be hacked have emerged online.
  • Regulators have launched a three-month campaign against the underground spy camera market.
  • In recent months, China has ordered foreign firms to store user data within the country, so the government has greater control of it.

South China Morning Post

Congressional Republicans expressed privacy concerns after ProPublica published a report last week, showing that billionaires paid very little in income tax. Republicans say IRS information must be kept private and have requested an investigation into the leak.


  • Democrats argue that the report shows that the IRS gives preferential treatment to corporations and wealthy individuals at the expense of low-income earners.
  • President Biden's new tax plan would force banks to inform the IRS about most money transfers in and out of personal and business accounts.
  • Republicans staunchly oppose the measure, arguing it would infringe on taxpayer privacy.

Associated Press

Canadian privacy commissioner Daniel Therrien said the Royal Canadian Mounted Police (RCMP) violated privacy laws by using Clearview AI's facial recognition software. In February 2020, the RCMP admitted to using Clearview's technology for several months and kept doing so until the company was banned from Canada last July.


  • Clearview AI has built its database by taking pictures from platforms such as Facebook and Instagram, which has made it the target of privacy investigations worldwide.
  • Therrien expressed concerns that the RCMP couldn't provide a reason for 85% of searches on Clearview's database.
  • The RCMP accepted responsibility for its actions and agreed to establish an oversight board to ensure the agency isn't violating any laws.
  • Meanwhile, in the U.S.: Congress has yet to pass legislation regulating law enforcement's usage of facial recognition technology in the year since George Floyd's death at the hands of the Minneapolis police last June.



In other privacy news:
  • New this morning: Sen. Kirsten Gillibrand (D-NY) is introducing a revamped version of her 2020 Data Protection Act. 
  • Apple defended its privacy policies after acknowledging it shared the phone data of two Democratic lawmakers during an investigation by the Trump administration.
  • Canadian Health Minister Patty Hajdu warned that transferring documents about a high-security lab in Winnipeg would have major privacy and national security risks.
  • The European Commission filed a lawsuit against Belgium after complaints that its privacy watchdog failed to meet the EU's independence requirements.
  • McDonald's is accused of violating Illinois' data privacy laws after it recorded customers' voices at drive-thrus for its AI chatbot.
  • The Market Information Research Foundation, which represents 64,000 European families, filed a $1.7B lawsuit against TikTok over alleged child privacy violations.
  • Volkswagen and Audi revealed data breach left the data of 3.3 million customers exposed at an undetermined point between August 2019 and May 2021

Transcend in 10 Mins: In this short on-demand demo, Transcend CEO Ben Brook walks through how we can help improve your privacy ROI with scalable, secure, and future-proof privacy infrastructure.

Watch Now

Privacy XFN is delivered to your inbox every Thursday morning and is sent by Transcend. We're an engineering company that makes it simple for companies to give their users control over their personal data. Learn more.