WELCOME to Connected Rights, your wrinkle in the fabric of digital rights news and analysis.

Enjoy this newsletter? Forward it to a friend or get them to sign up. I’m David Meyer, aka @superglaze on Twitter and @davidmeyerwrites on Facebook. Don’t forget to check out the Connected Rights website and download a copy of my book, Control Shift: How Technology Affects You and Your Rights. Karibuni!

APPLE CEO TIM COOK IS ON THE PRIVACY WARPATH again. This morning he addressed the 40th International Conference of Data Protection and Privacy Commissioners in Brussels, warning of a “data industrial complex” that is weaponising our data and deepening divisions. “Data assembled to create a digital profile lets companies know you better than you know yourself. This is surveillance,” he said.

As the Open Rights Group’s Jim Killock noted, “it’s the kind of thing you normally hear from civil society organisations.”

Cook also called for a strong, GDPR-esque privacy law over in the US. Before this year, that might have been a more explosive stance to take. But several things have happened in recent months that make it less heretical: Cambridge Analytica and similar data protection scandals; the onward march of big data breaches; the fact that the GDPR did not kill the internet as some lobbyists predicted; and, as I noted in a Fortune essay today, the fact that strong new privacy laws are already starting to appear in the US, but in a patchwork fashion that could make life rather complicated for businesses.

Let us not forget that a prime motivation of the GDPR, apart from strengthening EU data protection law, was to harmonise a complicated landscape of national laws that reduced predictability for businesses. That’s why Apple and its more data-industrial-complex peers already told US lawmakers last month that a national data protection law was the way to go.

Change is coming. But what will it look like?

NICK CLEGG IS, SOMEWHAT ASTOUNDINGLY, FACEBOOK’S new lobbyist-in-chief. Mind you, it shouldn’t be that surprising. The former UK deputy prime minister last year stood up for his new masters in a newspaper column (“It’s time we pause for breath before everyone charges off in a stampede of condemnation of tax-dodging-fake-news-extremism-promoting-data-controlling tech firms” – and this was before 2018), and his campaign manager and predecessor as MP for Sheffield Hallam, Richard Allan, also went on to become a major Facebook lobbyist (though just for Europe, rather than on a global level).

As Carole Cadwalladr wrote in a piece on the news of Clegg’s new gig: “Finally, some real power. Deputy prime minister is so last century. You’re now vice-president of global affairs and communications at Facebook, a company that, as Mark Zuckerberg points out, is less a traditional firm than a full-blown nation state. And not just any nation state – the most powerful nation state on Earth, ever, home to 2 billion people and with nothing as inconvenient as elections to get in the way of ‘progress’. Suck up to the supreme leader and you’re set. Think of it as something like the coalition, only set in Pyongyang in 2022.”

OK, the Pyongyang jibe is perhaps taking things a little far, but the reference to the Liberal Democrats’ coalition with the Conservative Party is not. Yes, the Lib Dems may have moderated the Tories’ policies to some extent for that term, but the end result was the electoral demolition of Clegg’s party and the further empowerment of David Cameron’s. It would take a pretty die-hard Lib Dem supporter to look back at that period and call it a success, no matter what the party was trying to achieve by joining forces with the Tories.

Clegg claims he is joining Facebook not because of the seven-figure salary but because “it is time to build bridges between politics and tech so that tech can become the servant of progress and optimism, not a source of fear and suspicion… I have been impressed in my numerous conversations with Mark Zuckerberg and Sheryl Sandberg in recent months by the seriousness with which they recognise the profound responsibilities that Facebook has – not only to its vast number of users but to society at large.”

If he really believes that, he should have a word with the WhatsApp founders or other idealistic people who bought into the spiel and the cash, before fleeing when the truth became apparent.

To support my work, why not become a patron of Connected Rights? If you would prefer to make a one-off donation, I also have a PayPal.me page.

ANN CAVOUKIAN, THE FORMER ONTARIO PRIVACY CZAR and the creator of the “privacy by design” principles, has walked out of a smart city project in Toronto that involves Google sibling Sidewalk Labs. The issue is privacy – unsurprisingly for a project derided by Blackberry co-founder Jim Balsillie as “a colonising experiment in surveillance capitalism”.

Cavoukian told Global News: “I felt I had no choice because I had been told by Sidewalk Labs that all of the data collected will be de-identified at source… Sidewalk said while they would commit to doing it, the other parties involved in these new entities they’ve created… they couldn’t make them do it… When I heard that, I said ‘I’m sorry. I can’t support this. I have to resign because you committed to embedding privacy by design into every aspect of your operation.'”

THE CLASS ACTION SUIT OVER YAHOO’S MEGA-BREACH (which happened in 2013 but was only admitted to in 2016) is finally being settled. Yahoo, now part of Verizon, will pay out $50 million in compensation, plus legal costs and free credit-monitoring services.

THE BRITISH SUPERMARKET CHAIN MORRISONS HAS LOST a legal challenge against a High Court ruling that found it was partly liable for a data breach, in which an employee maliciously leaked the personal data of around 100,000 other employees. If it loses its next appeal, to the Supreme Court, it will have to pay vast amounts of compensation to employees that sued it for distress.

The Court of Appeals’ ruling on the matter included this nugget, which Mishcon de Reya’s Jon Baines reckons will see corporate insurance premiums soar; it regards the defence’s claim that the compensation would be outlandishly huge:

There have been many instances reported in the media in recent years of data breaches on a massive scale caused by either corporate system failures or negligence by individuals acting in the course of their employment. These might, depending on the facts, lead to a large number of claims against the relevant company for potentially ruinous amounts. The solution is to insure against such catastrophes… The fact of a defendant being insured is not a reason for imposing liability, but the availability of insurance is a valid answer to the Doomsday or Armageddon arguments put forward by [Morrisons’ lawyers].”

THAT CASE HAD NOTHING TO DO WITH THE GDPR (it predated the new regulation coming into effect) but this does: a Portuguese hospital has been fined €400,000 under the GDPR for implementing slack access policies in its medical records system. An audit found social services staff were able to access clinical records that should only have been seen by doctors. Apparently there were 985 accounts with that level of access, and only 296 doctors who were supposed to have authorisation.

If you’d like me to speak about digital rights at your event or provide advice for your business, drop me an email at david@dmeyer.eu.

THE EU’S TOP COURT HAS ISSUED ANOTHER ruling about Germans and illegal file-sharing. This time it’s about a guy who got nailed by an audiobook publisher for sharing one of its works, and who got away with it by telling a court that his parents also had access to the same internet connection.

That’s not OK, the Court of Justice of the European Union decided. The court said EU member states cannot allow people to get away with copyright infringement so easily. Multiple rights are being balanced here – privacy and family life on the one side, and intellectual property and effective legal remedies on the other – and “almost absolute protection” of this kind just doesn’t fly, as the publisher becomes unable to defend its rights.

The court said: “EU law precludes national legislation (such as that at issue, as interpreted by the relevant national courts) under which the owner of an internet connection used for copyright infringements through file-sharing cannot be held liable to pay damages if he can name at least one family member who might have had access to that connection, without providing further details as to when and how the internet was used by that family member.”

So the guy now has to properly rat on his folks if he wants to maintain his defence. That’s going to make for an uncomfortable Christmas…