WELCOME to Connected Rights, your blessing in the disguise of digital rights news and analysis.

Enjoy this newsletter? Forward it to a friend or get them to sign up. I’m David Meyer, aka @superglaze on Twitter and @davidmeyerwrites on Facebook. Don’t forget to check out the Connected Rights website and download a copy of my book, Control Shift: How Technology Affects You and Your Rights. Som svakôm!

FACEBOOK IS LIKELY TO GET A SUBSTANTIAL FINE under the GDPR for its latest data breach, a corker taking in 50 million people – up to a tenth of whom are in the EU. Basically, Facebook’s shoddy code allowed people to take over other people’s accounts.

The Wall Street Journal said Facebook could get fined as much as $1.63 billion. That’s deeply unlikely – the figure just represents the maximum fine that Facebook could incur under the GDPR for a super-duper-wilful violation of the regulation, i.e. 4% of annual global revenue. In reality, Facebook notified the Irish data protection authority within 72 hours of discovering the breach, and it’s a company that takes security very seriously, so – if there is a fine – there are plenty of mitigating factors to whittle it down.

On the other hand, the Irish DPC said Facebook’s notification “lacked detail”, adding that the company seemed “unable to clarify the nature of the breach and the risk for users at this point”. Let’s see what happens – I dare say regulators are itching to flex their GDPR-infused muscles, and Facebook’s scalp would provide one heck of an example to others, but the company is also being investigated for other, more fundamental GDPR violations. Those are probably where the biggest fines lie.

Fun footnote: Apparently keen to demonstrate the dangers of crappy AI – and that’s the charitable explanation – Facebook’s system blocked users’ attempts to post an article about the breach.

APPLE CEO TIM COOK SAID THAT KIND OF BREACH would never happen at Apple, because his company doesn’t build detailed profiles of its users. In a Vice News interview, he also rebuffed the idea that Siri, Apple’s virtual assistant, suffers because of Apple’s relatively cautious data-gathering ways. Cook: “The narrative that some companies will try to get you to believe is, ‘I’ve got to take all of your data to make my service better.’ Well, don’t believe that. Whoever’s telling you that — it’s a bunch of bunk.”

SPEAKING OF BREACHES, there was much hilarity over the Conservative Party’s conference app, which forced an awful lot of phone-number changes by exposing major politicians’ personal details to other conference-goers. The flaw was spectacularly basic: anyone could log into any attendees’ accounts by just entering their email address.

From the Guardian‘s article on the fiasco: “Once logged into the app, users were able to both amend and make the personal details of prominent MPs public. Twitter users claimed [Boris] Johnson’s picture had been briefly changed to one featuring a pornographic image. [Michael] Gove’s picture was changed to Rupert Murdoch, his previous employer at the Times… Commentators said the flaw raised questions over the ability of the government to harness technology to solve issues around the Irish border and customs checks. The app may also have breached data laws.”

I think it’s safe to say it broke data laws.

IF YOU GIVE FACEBOOK YOUR PHONE NUMBER for two-factor authentication purposes, the company uses it to target ads at you. That’s one of several interesting tidbits in a research paper written up by Gizmodo‘s Kashmir Hill.

As Hill notes, Facebook targets ads using “shadow contact information” that it won’t even show the data subjects, even if they’re in the EU. Again, hello GDPR.

FORBES HAS AN INTERESTING INTERVIEW WITH WHATSAPP CO-FOUNDER BRIAN ACTON, who recently fled Facebook over its, shall we say, less-than-enthusiastic take on privacy. Facebook wanted to make money out of WhatsApp, and Acton suggested simply charging people if they use it a lot. But CTO Sheryl Sandberg, who was keen on introducing targeted advertising instead, complained that Acton’s idea “wouldn’t scale”.

From the piece: “‘I called her out one time,’ says Acton, who sensed there might be greed at play. ‘I was like, ‘No, you don’t mean that it won’t scale. You mean it won’t make as much money as…,’ and she kind of hemmed and hawed a little. And we moved on. I think I made my point… They are businesspeople, they are good businesspeople. They just represent a set of business practices, principles and ethics, and policies that I don’t necessarily agree with.”

To support my work, why not become a patron of Connected Rights? If you would prefer to make a one-off donation, I also have a PayPal.me page.

THE JUST-AGREED REPLACEMENT FOR NAFTA, the United States-Mexico-Canada Agreement (USMCA, which just rolls off the tongue doesn’t it), has important copyright and privacy implications.

There’s an extension of copyright in Canada to 70 years after the creator’s death (the international standard is 50). However, as Michael Geist explains, Canada got to keep its notice-and-notice system, whereby ISPs notify and monitor customers who are accused of unlawful filesharing, rather than having to adopt the American notice-and-takedown system.

Here’s Geist on the digital trade stuff: “The digital trade chapter largely mirrors the one found in the TPP. That means that there are provisions on prohibiting customs duties, facilitating electronic transactions, anti-spam measures, and very weak language on having domestic privacy and consumer protection rules. The USMCA does not include a stand-alone net neutrality provision as found in the TPP.”

The three countries can’t introduce laws that are “premised on liability for internet companies”. Data localisation is out, as are any restrictions on cross-border data transfers – Geist suggests the latter point “could become a challenge should the EU require restrictions to meet its privacy standards”.

THE CJEU DELIVERED AN INTERESTING RULING yesterday. The case involves the robbery in Spain of someone’s wallet and mobile. The cops wanted access to data “identifying the users of telephone numbers activated with the stolen telephone during a period of 12 days as from the date of the robbery”. A magistrate said no because the crime was not a serious offence, and the requested data can only be handed over when investigating serious offences.

Fast-forward to the Court of Justice, which said that yes, accessing that identifying information is an interference with people’s fundamental rights, but “that interference is not sufficiently serious to entail access being restricted, in the area of prevention, investigation, detection and prosecution of criminal offences, to the objective of fighting serious crime”.

The CJEU noted that the 2002 ePrivacy Directive talks about criminal offences, rather than only serious crime. It’s all about proportionality – serious interferences require serious protections, but “when the interference is not serious, that access may be justified by the objective of preventing, investigating, detecting and prosecuting ‘criminal offences’ generally”.

If you’d like me to speak about digital rights at your event or provide advice for your business, drop me an email at david@dmeyer.eu.

THE EUROPEAN COMMISSION GOT FACEBOOK, TWITTER ET AL to agree on a self-regulatory code of practice regarding the fight against “fake news”. The platforms agreed to “help people make informed decisions when they encounter online news that may be false”, “invest in technological means to prioritise relevant, authentic and authoritative information where appropriate”, and “make it easier for people to find diverse perspectives about topics of public interest”.

SOMEONE’S BEEN SPYING ON PEOPLE IN SOUTH AFRICA with spyware that is only sold to governments.

WANT TO READ A GENIAL YET FRUSTRATING EXCHANGE ON ONLINE ANONYMITY, between MP Jess Phillips and tech author Jamie Bartlett? Here you go.