WELCOME to Connected Rights, your rake in the forest of digital rights news and analysis.

Enjoy this newsletter? Forward it to a friend or get them to sign up. I’m David Meyer, aka @superglaze on Twitter and @davidmeyerwrites on Facebook. Don’t forget to check out the Connected Rights website and download a copy of my book, Control Shift: How Technology Affects You and Your Rights. Selamat datang!

DISLIKE CREEPY TARGETED ADVERTISING? Then you’ll love a ruling from French privacy regulator CNIL, in a case involving ad-tech outfit Vectaury.

As explained by Natasha Lomas over at TechCrunch in admirably straightforward terms – I tried to parse the story a couple times in the last few days but suffered severe brain-freeze – CNIL ruled that “consent to processing personal data cannot be gained through a framework arrangement which bundles a number of uses behind a single ‘I agree’ button that, when clicked, passes consent to partners via a contractual relationship.”

Why? Because consent doesn’t work that way under the GDPR. And that’s a big problem for online advertising companies. Of note, Vectaury’s “consent flow” was based on a template from IAB Europe, a marketing industry body that is perhaps not as au fait with the GDPR as it claims to be (though it claims Vectaury didn’t implement the template correctly).

Privacy experts are hoping this is the start of many rulings that, in Lomas’s words, “could force a change of mindset across the entire ecosystem” by ensuring that we are all fully informed about the countless places our data goes, before we consent to it going anywhere. Wouldn’t that be nice?

YOU MAY REMEMBER WHEN, EARLIER THIS MONTH, the Russian government decided that all users of messaging apps must be identifiable, and their mobile operators must keep lists of who uses what app. This was, I said, the latest example of Russia clamping down on people’s online freedoms.

Silly me! Alexander Zharov, the head of Russian media and telecoms regulator Roskomnadzor, has thankfully set the record straight, telling TASS: “The new rules will respect users’ right to privacy, it will only be data required for identification that will be requested.” I’d love to know how he defines privacy, then.

Zharov also had this to say about the concept of anonymous messaging: “I call it fictitious because the term ‘anonymity’ is just a marketing gimmick. Today, messengers request access to your contacts. By giving it to the app, you allow it to identify who on your contact list uses it. Hence, if you are just among contacts on somebody’s smartphone, you are already identified by the messenger’s administrators whether you want to be or not.”

Yes, but the app providers aren’t the government of a repressive state. Not even Facebook! Speaking of which…

AS RECOUNTED IN LAST WEEK’S NEWSLETTER, CIVIL SOCIETY groups were begging Facebook to introduce proper, non-algorithmic appeal procedures for regular users whose content is taken down from the platform. Lo and behold, on Thursday King Zuck announced just that.

“Any system that operates at scale will make errors, so how we handle those errors is important. This matters both for ensuring we’re not mistakenly stifling people’s voices or failing to keep people safe, and also for building a sense of legitimacy in the way we handle enforcement and community governance,” he wrote.

“We began rolling out our content appeals process this year. We started by allowing you to appeal decisions that resulted in your content being taken down. Next we’re working to expand this so you can appeal any decision on a report you filed as well. We’re also working to provide more transparency into how policies were either violated or not.”

GOOGLE HAS COME OUT AND SAID IT: If ancillary copyright (don’t call it a “link tax”) is introduced across the EU, as now seems quite likely, the company may shut down Google News across the bloc.

Google News chief Richard Gingras told the Grauniad that Google “would not like to see” the news service shutter across Europe, as happened in Spain when a particularly draconian version of ancillary copyright was mandated, but “we can’t make a decision until we see the final language”.

I hope not to be saying I told you so on this – I’ve been warning about this outcome for years now – but here’s something for lawmakers to bear in mind: Would the end of Google News in Europe be a black eye for Google? Kind of, but the firm doesn’t advertise against News anyway. Would it help local rivals to Google in the news-aggregation space? Obviously not. Would it help news outlets? Haha no. All it would do is destroy media startups, reduce the plurality of the marketplace, and inhibit the spread of fact-based journalism.

WHAT DOES THE DRAFT/DOOMED BREXIT AGREEMENT SAY about data protection? Quite a lot, it seems, and Hogan Lovells lawyers have written a useful blog post on the main points.

The big takeaway seems to be that the EU has agreed to work out whether the UK has an “adequate” data protection regime before rather than after the end of the transition period. That would mean a heck of a lot more certainty for British businesses wondering if they can continue to import the data of EUropeans without breaking EU law. Of course, the adequacy decision would still need to be made, and the UK’s dreadful surveillance laws – which it can get away with inside but not outside the EU, as far as EU law is concerned – could provide a serious obstacle.

As may the fact that the deal is, as things stand, dead in the water. And if Brexit happens without a deal, good luck everyone…

LOOKS LIKE CHINA IS EXPORTING ITS AUTHORITARIAN citizen-monitoring techniques. ZTE, one of the big Chinese telecoms equipment manufacturers, is helping Venezuela expand the use cases for its “fatherland card” – that’s an ID card in non-scary-speak – to include the recording of everything from income and medical history to political party memberships and voting records. Card-holders get cash prizes for rallying voters! Non-card-holders apparently get hassled by their doctors.

AMAZON HAS BEEN ASKED TO TURN OVER any recordings that it may have from a murder victim’s Echo device, from the day the victim and her friend were killed. The New Hampshire court said there was reason to believe “such information contains evidence of crimes committed against [the victim], including the attack and possible removal of the body from the kitchen.” Amazon said it “will not release customer data without a valid and binding legal demand properly served on us.”

In theory, Amazon should not have this information, as “Alexa”, its virtual assistant software, only starts recording when it thinks it hears a command word such as “Alexa”. But the system goes wonky sometimes.