Privacy XFN

Welcome to Privacy XFN, curating the best reads at the intersection of data privacy and tech. This week we’re covering news of China's new data privacy law and how it compares to GDPR, concerns about changes to TikTok's privacy policy, the data implications of the Taliban’s takeover in Afghanistan, and much more.

—The Transcend team

China has passed the Personal Information Protection Law (PIPL), which goes into effect on Nov. 1. Companies must have a clear reason for collecting data, obtain consent from users, and minimize the amount they aggregate. Data of children under 14 must be given extra protection. It can't be used for price discrimination, but the bill allows for cross-border transfer if international agreements exist.


  • Under GDPR and PIPL, foreign companies must have a domestic representative who ensures the organization complies with the law.
  • Companies must have a legal basis if they want to process personal data, under both laws.
  • Under GDPR, companies can be fined up to 4% of their global revenue. PIPL lets regulators fine organizations up to 5% of revenue.
  • GDPR forces companies that process data to respond to user requests within one month, while PIPL doesn't mandate a specific timeframe.
  • In related news: Tencent's WeChat was among 43 apps that "illegally transferred user data," according to China's Ministry of Industry and Information Technology.

Stanford DigiChina

Sens. Amy Klobuchar (D-MN) and John Thune (R-SD) told TikTok CEO Shou Zi Chew, they were concerned about changes to its privacy policy. In June, TikTok said it would begin collecting biometric information, including "faceprints" and "voiceprints." The company said it would only seek permission from users in states such as California and Texas, which have biometric privacy laws.


  • Lawmakers asked Chew to clarify what a “faceprint” and “voiceprint” are, how the data will be collected, and how long it will be stored.
  • Chew has also been ordered to explain if TikTok collects data from minors and which third parties can access it.
  • TikTok agreed to a $92M settlement in February after it was accused of collecting biometric data and sharing it with third parties.
  • In 2019, The FTC said TikTok violated the Children’s Online Privacy Protection Act and fined it $5.7M.
  • TikTok's not alone: Earlier this month, Klobuchar, alongside Sens. Bill Cassidy (R-LA) and Jon Ossoff (D-GA), expressed privacy concerns about Amazon One, the company's palm print recognition system.


The Taliban could have access to the U.S. military's database of biometric information. It's unknown how many entries are in the database, but it reportedly contains information about Afghan civilians and the coalition government. In recent weeks, the Taliban has taken control of Afghanistan following President Biden's decision to withdraw American troops from the nation.


  • The U.S. government began deleting sensitive information before the withdrawal started but couldn't erase all records.
  • It's unclear if the Taliban has the technology and capabilities to access the data.
  • New protections from tech players: Facebook users in Afghanistan have had their friends list concealed to help protect their identity.
  • Clubhouse reset the photos and bios of users while making it harder to locate their profiles in the search bar.

The Verge

The State of Consent Management: We surveyed 100 global technical leaders on how they manage user tracking and consent preferences on their company’s websites. Leaders acknowledge they face a tension balancing customer trust and online experiences. Read the full report for more insights.

Download Now
Officials in the German city-state of Hamburg have been told not to use Zoom by a privacy watchdog. The warning comes after the European Court of Justice struck down the EU-U.S. Privacy Shield agreement in July 2020. The agreement enabled transatlantic data transfers.


  • Officials were told to use a domestic video conference system.
  • In a paper outlining its transatlantic data transfer policy, Zoom says it has introduced measures to protect data that are on par with GDPR.
  • Talks over a new agreement between the EU and the U.S. have been going on for over a year, however, it's unknown when a new deal will be struck.


The U.S. Agency for International Development (USAID) used antiquated data loss procedures according to an audit by the agency's inspector general. The audit found certain staff members could access personal information despite not having been properly trained for their roles.


  • The audit claims the agency failed to delete Social Security Numbers it no longer needed.
  • The IG recommended the CIO upgrade its data loss prevention procedures and introduce measures that ensure the agency is constantly deleting unnecessary social security numbers.
  • In May, Microsoft warned Russian hackers were using USAID's email system to target other U.S. government agencies.


The Federal Communications Commission (FCC) launched an investigation into T-Mobile after a recent data breach impacted over 50 million customers. Names, Social Security Numbers, and dates of birth were among the information that hackers were able to access.


  • Watch this space: the probe will indicate how the agency will address telecom privacy under Democratic leadership, argues Bloomberg’s Maria Curi.
  • The FCC will investigate if T-Mobile implemented sufficient measures to protect the data and if it notified the authorities once the cyberattack was discovered.
  • Curi notes that the FCC under Republican leadership fined the four largest carriers over $200M in 2020 for sharing customer data.
  • T-Mobile has already offered customers two years of free identity protection services, but the FCC could make the company provide additional compensation.

Bloomberg Law

Google received 11,554 geofence warrants in the U.S. last year, up from 982 in 2018. Geofence warrants enable law enforcement officials to force Google to share information on all devices that were present near a crime scene during a specific period of time.


  • Privacy advocates have said geofence warrants are "unconstitutionally broad" and "invasive."
  • Between 2018-2020, the tech giant received 20,932 geofence warrants.
  • Last year, Google received 1,909 warrants from officials in California —the most of any state.
  • Google only received one warrant from officials in Maine and Hawaii.


In other privacy news:
  • The Chinese government will force automakers to obtain consent from drivers before collecting data, according to new rules that go into effect on Oct. 1.
  • 70 million AT&T customers reportedly had their data stolen by an unnamed hacker group, according to RestorePrivacy. AT&T has denied the claims.
  • There were 446 data breaches in Australia during the first six months of 2021, a 16% decline from the second half of 2020.
  • Sticking with Australia: 84% of consumers want "full transparency" over how businesses are using their data, but only 34% say they've gotten it, according to a recent survey from Qualtrics.

Consent Management, Reinvented: Existing consent managers are broken. They only regulate 3rd party scripts – leaving your company non-compliant, and users with a terrible experience. So, we reinvented how they work.

Get Early Access

Privacy XFN is delivered to your inbox every Thursday morning and is sent by Transcend. We're an engineering company that makes it simple for companies to give their users control over their personal data. Learn more.