WELCOME to Connected Rights, your gambol through the wheat fields of digital rights news and analysis.

FACEBOOK WILL INCUR THE MAXIMUM POSSIBLE FINE in the UK over the Cambridge Analytica scandal, the Information Commissioner’s Office (ICO) announced today. That fine is only £500,000, because the incident happened in the pre-GDPR days, but it’s still not a good look.

The privacy regulator found that Facebook broke data protection law firstly by not properly securing people’s information, and also by being opaque about how third parties were using that data.

It’s important to remember that the Facebook fine, and indeed the Cambridge Analytica probe, falls within a wider investigation into the (mis)use of personal data for influencing people’s political decisions. The ICO has released a progress report regarding that investigation, and also a separate report containing policy recommendations.

Those recommendations include making sure that political parties “apply due diligence when sourcing personal information from third party organisations, including data brokers, to ensure the appropriate consent has been sought from the individuals concerned and that individuals are effectively informed in line with transparency requirements under the GDPR”. This has blatantly not been happening so far, and all the main U.K. parties appear to be guilty on this front.

The ICO wants to see the government introduce a statutory code of practice governing the use of personal information in political campaigns. And “all online platforms providing advertising services to political parties and campaigns should include expertise within the sales support team who can provide political parties and campaigns with specific advice on transparency and accountability in relation to how data is used to target users”.

Here’s what the information commissioner, Elizabeth Denham, said: “We are at a crossroads. Trust and confidence in the integrity of our democratic processes risk being disrupted because the average voter has little idea of what is going on behind the scenes. New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters. But this cannot be at the expense of transparency, fairness and compliance with the law.”

THE EUROPEAN PARLIAMENT HAS HELD UP THE CONTROVERSIAL Copyright Directive for further scrutiny, following a concerted campaign to stop it being shunted into the final “trilogue” negotiations while it still contains dangerous elements.

A plenary vote rejected the fast-tracking approach by just 318 votes to 278, which is pretty tight as these things go. This is by no means the end of the matter, but it does mean there is now a good chance of fixing the problematic parts: Article 11, which would impose a license fee on anyone who wants to link to something while reproducing a snippet of the linked-to text, and Article 13, which would force online platforms to scan everything people upload for potential copyright violations.

The reaction to this plenary vote from the rightsholder camp has been entertaining. “The hijacking of the process raises fundamental questions about how incumbent platforms and supposedly objective operators abuse their position. It underlines the need for greater transparency and scrutiny, especially with actors who have huge potential to influence public opinion and are not shy about using it,” said Helen Smith, the executive chair of music industry lobbyists Impala.

In other words, how dare the other side lobby too?

THE PARLIAMENT ALSO VOTED FOR THE SUSPENSION OF PRIVACY SHIELD, the U.S.-EU data-sharing agreement, in September if the U.S. and EU haven’t made it fully compliant with fundamental rights by that point.

This is just a non-binding resolution, but it does show that Privacy Shield may not have much of a future. The U.S. is in no hurry to provide equivalent protections to those provided under EU law – it never was, though the Trump administration is not helping matters. The spies are going to keep spying, and the Americans haven’t even bothered to fully staff their Privacy and Civil Liberties Oversight Board.

Some of us have always said Privacy Shield is doomed. The clock is ticking…

To support my work, why not become a patron of Connected Rights or buy my book, Control Shift?

IN THE AFOREMENTIONED BOOK, ONE SUGGESTION I made was the creation of a proper personal virtual agent – as opposed to a corporate system posing as a personal agent – that could provide an interface for users’ personal data, according to their genuine wishes, and that could scan lengthy terms of service to check that they would comply with users’ privacy preferences.

So imagine my joy at learning that the European Consumer Organisation (BEUC) and some researchers are working on an “automated evaluator of privacy policies” – a bot called Claudette, which will scan legalese to check that it truly complies with the GDPR. It has begun!

IT’S OFFICIAL: “DOOR-TO-DOOR PREACHERS” AND THEIR religious organisations are data controllers when it comes to the information they collect from people, and are therefore covered by the GDPR. That’s according to the CJEU’s final judgement in a case involving Finnish Jehovah’s Witnesses, which I have mentioned before.

MANY GAMES PUBLISHERS HAVE BEEN INTEGRATING AN “ANALYTICS” TOOL called RedShell into their games, in order to target advertising at the players. But then people realised that the tool, the use of which was not fully disclosed, was gathering more identifying information than they were comfortable with. Pushback ensued, and the games publishers are now rushing to remove RedShell.

REMEMBER THE STRAVA DEBACLE FROM EARLIER this year, in which the fitness app helped expose the movements of Western troops abroad? Well here’s another one: Polar, a fitness app that allows people to find the names and addresses for soldiers and secret agents.

These stories are entertaining stuff. People are rightly freaking out because of how these apps’ laxity on the privacy front exposes the whereabouts of soldiers, but at the same time the scandals demonstrate how all of us can be exposed, given the motivation to do so.

WHATSAPP IS TRYING TO COMBAT MISINFORMATION by launching a new label on messages that have been forwarded from another user, to make sure people know if a message they receive did not originate with the immediate sender.

MALAYSIA’S “FAKE NEWS” LAW IS BEING REPEALED by the country’s new prime minister, Mahathir Mohamad. The law was passed by his allegedly very corrupt predecessor, Najib Razak, who clearly had reasons for wanting to stamp out certain media reports. Mohamad campaigned on wanting to repeal the law, but seemed to have changed his mind once in office – turns out he intends to make good on the promise after all.

If you’d like me to speak about digital rights at your event or provide advice for your business, drop me an email at david@dmeyer.eu.

YOUTUBER PAUL DAVIDS, WHO MAKES GUITAR VIDEOS, WAS SURPRISED to find one of his videos hit with a copyright violation claim, as he owns the copyright to the music he was playing. It turns out that someone took music he had written, recorded and uploaded, and then used it as the basis for another musical composition – which YouTube then thought Davids’s original video was ripping off. All hail the wisdom of automated systems.

THE NEW YORK TIMES HAS A PIECE ON CHINA’S DYSTOPIAN surveillance infrastructure that makes a valuable point: the system is fragmented and often not very good at what it’s supposed to do, but “for technology to be effective, it doesn’t always have to work”. It just has to convince people that they are always under surveillance, so they modify their behaviour accordingly.