Privacy XFN

Welcome to this week’s Privacy XFN, curating the best reads at the intersection of data privacy and tech. We’re covering Sen. Ron Wyden's (D-OR) new foreign surveillance bill, claims that GDPR is fundamentally "broken," Apple's big privacy win in China, and much more.

Plus, news just in from Colorado: As expected, Gov. Jared Gov. Jared Polis signed the Colorado Privacy Act (CPA) into law on Wednesday. It goes into effect in 2023 (as does California's CPRA and Virginia's CDPA).

—The Transcend team

Sen. Ron Wyden (D-OR) will introduce the Protecting Americans’ Data From Foreign Surveillance Act of 2021. The bill would force federal agencies to implement safeguards to ensure any personal data that's exported isn't misused by foreign governments.


  • If the bill becomes law, anyone who breaks it could face criminal penalties or private right of legal action.
  • Wyden's not done: Last month, the senator introduced the Protect Reporters from Excessive State Suppression (PRESS) Act to shield the phone and email records of journalists.
  • Both Democrats and Republicans say the U.S. must strengthen privacy protections for cloud data.


Hamburg Privacy Commissioner Johannes Caspar says GDPR's “one stop shop” model makes it difficult to regulate tech giants. The Irish DPA is the EU's main regulator but it must seek consent from others, which can delay final decisions. Caspar noted that 28 Irish cases remain outstanding.


  • Companies can be fined up to 2%-4% of their annual revenue for severe violations but none have so far.
  • Caspar says infighting between privacy commissioners has led to delayed decisions and insufficient fines.
  • Ireland says cases take a long time to be resolved because of the scope and possibility of large fines.
  • Help is on the way: Last month, the EU Court of Justice said countries that can demonstrate “emergency need” can prosecute GDPR violations, even if the company is based elsewhere.

CPO Magazine

A message from TRANSCEND

What's really involved in building a privacy request system in house?

In this guide, we provide a breakdown of the essential elements to build an automated privacy request workflow, with advice from our experts who build these systems for a variety of multinational companies.

Also included: The six key questions you should have answers for before you start to guide your cross-functional conversations.

Get the guide

Apple blocked CAID (Chinese Advertising ID) which would have tracked users' iPhones even if they opted out of the an app's IDFA (Identifier for Advertisers). CAID was a co-ordinated attempt by Chinese tech giants such as Baidu, Tencent, and ByteDance (TikTok's owner) to bypass Apple's App Tracking Transparency rules.


  • CAID was supposed to launch in March but didn't after Apple blocked updates to Chinese apps that were early adopters of the technology.
  • Privacy experts argue that Apple was in a tough spot as blocking CAID could have jeopardized its $50B Chinese business.
  • On the other hand, Apple could have faced global condemnation if had different rules for China.
  • Separate but related: The Cyberspace Administration of China (CAC) ordered app stores to remove Didi Global's app after concluding that the ride-hailing giant illegally collected the personal data of users. 

Financial Times

Consent Management, Reinvented: Existing consent managers are broken. They only regulate 3rd party scripts – leaving your company non-compliant, and users with a terrible experience. So, we reinvented how they work—want to join as a beta partner?

Get early access
California remains the only state to ban dark patterns, which is when a user interface is designed to mislead individuals into taking actions they didn't intend to. The state amended the California Consumer Privacy Act (CCPA) in March and last November voters approved the California Privacy Rights Act (CPRA), which takes effect in 2023.


  • The bi-partisan Deceptive Experiences To Online Users Reduction (DETOUR) Act was introduced in the Senate in 2019 but didn't receive a vote.
  • The Washington Privacy Act, which is similar to the CPRA, failed to pass.
  • FTC Commissioner Rohit Chopra admitted existing privacy laws have failed to block dark patterns and urged the agency to take action.

National Law Review

The Data Privacy Foundation and Dutch-based Consumentenbond can proceed with litigation against Facebook after a Dutch court rejected the tech giant's appeal. Both non-profits allege that Facebook hasn't been fully transparent of what data it collects and how it's used, which violates the EU's privacy law. The tech giant has denied all allegations.


  • Facebook argued its European business is under Irish jurisdiction and it can't face litigation in a Dutch court.
  • However, the court said litigation involving Dutch Facebook users should occur in the Netherlands.
  • Over 185,000 people have signed up to be part of representative action, and they could receive financial compensation.


Privacy concerns have emerged as more consumers worldwide use digital payments during the COVID-19 pandemic. A recent Mastercard survey shows that 90% of consumers used an emerging payment type in the past year.


  • Singapore has one of the world's highest levels of contactless payment usage. 
  • In the first half of 2020, fraud rose by 73.8% YoY in the city-state.
  • Singapore amended its personal data protection act and companies will now face stronger penalties for violations.


The Supreme Court said California can't force charities to reveal the identities of major donors in a 6-3 decision. All six conservative justices formed the majority, while the liberal bloc was in dissent.


  • In his majority opinion, Chief Justice John Roberts said California was violating the first amendment.
  • In her dissent, Justice Sonia Sotomayor argued there is no evidence donors will face consequences if their identity is revealed.
  • Sotomayor backed California, adding that most donors are okay with their identity is made public.


In other privacy news:
  • Maine has passed one of the strongest laws in the U.S. to regulate the use of facial recognition technology. It's not banned in schools and limits usage by law enforcement.
  • New on the Transcend blog: how companies can defeat cookie banners.
  • A federal judge in California ruled Google will face a lawsuit to address privacy concerns related to its Voice Assistant.
  • Google, Facebook, and Twitter threatened to leave Hong Kong if the government moves forward with amendments to its data-protection laws.
  • European Commission's executive vice president Margrethe Vestager said Apple can't use privacy concerns as a reason to restrict App Store competition.
  • Swedish regulators are investigating fintech startup Klarna following a data breach in May that exposed users' personal information.

Transcend in 10 Mins: In this short on-demand demo, Transcend CEO Ben Brook walks through how we can help improve your privacy ROI with scalable, secure, and future-proof privacy infrastructure.

Watch now

Privacy XFN is delivered to your inbox every Thursday morning and is sent by Transcend. We're an engineering company that makes it simple for companies to give their users control over their personal data. Learn more.