WELCOME to Connected Rights, your nail in the coffin of digital rights news and analysis.

Enjoy this newsletter? Forward it to a friend or get them to sign up. I’m David Meyer, aka @superglaze on Twitter and @davidmeyerwrites on Facebook. Don’t forget to check out the Connected Rights website and download a copy of my book, Control Shift: How Technology Affects You and Your Rights. Mauri!

WELL, IT HAPPENED. The European Parliament passed the Copyright Directive without removing Articles 11 and 13 (now renamed Articles 15 and 17). And just to make the defeat that much more bitter, the vote on debating the ancillary-copyright and upload-filter parts should have gone the other way – it fell by five votes, and a group of Swedish MEPs subsequently admitted they pressed the wrong button. The offending measures should have been debated and excised, but even though the voting record has now been corrected, the original vote remains binding.

Anyway, the Greens and Julia Reda seem to hope there might be some kind of last-ditch rescue in Council, which still needs to rubberstamp the directive. I can’t see any hope there to be honest, given that this is the deal Council already agreed upon. Game over (though I’d surely be happy to be proved wrong).

Want a glimmer of hope? It’s a directive, not a regulation, so there are still battles to be fought at the national level. Not that having a wildly fragmented regulatory landscape is going to make life easier, as such.

By the way, an investigation by Germany’s FAZ newspaper found Germany and France likely did some horse-trading on the issue, with Germany agreeing to back the directive if France backed a loophole in new gas legislation that smooths the way for the Nord Stream 2 Russian pipeline.

YOU WILL BE SHOCKED TO HEAR that Facebook was apparently well aware of Cambridge Analytica’s abuses of its platform months before the story broke – Zuck & Co have maintained that they only knew about it after the media exposed the misdeeds.

Facebook’s excuse? Yes, employees caught wind of Cambridge Analytica data-scraping in September 2015, as revealed in a court filing by Washington DC’s attorney general, but this was a “different incident” from the Kogan affair.

FACEBOOK’S MADE ANOTHER SECURITY BOOBOO, this time storing hundreds of millions of users’ passwords in plaintext on an internal system that was open to employees. It claims there’s no indication of employees having abused the database, nor of outsiders getting a peek. Let’s hope that’s true, but let’s all change our passwords shall we?

PRETICKED BOXES DO NOT VALID COOKIE CONSENT MAKE, according to an opinion from CJEU advocate general Maciej Szpunar in a case involving a lottery run by Germany’s Planet49.

Szpunar: “There is no valid consent within the meaning of [the 2002 ePrivacy Directive and 1995 Data Protection Directive] in a situation… where the storage of information, or access to information already stored in the user’s terminal equipment, is permitted by way of a pre-ticked checkbox which the user must deselect to refuse his consent and where consent is given not separately but at the same time as confirmation in the participation in an online lottery.”

The same goes for the interpretation of the ePrivacy Directive read in conjunction with the GDPR, he added.

The usual caveat applies: AG opinions do not dictate final CJEU rulings, though they usually align.

UBER DRIVERS IN THE UK are suing the company to get the personal data it holds on them, specifically the data that feeds the algorithms that decide which fares and routes they should take and how much they earn. The drivers say the data, due to them under the GDPR, would help them calculate holiday pay, appeal unfair dismissal and clue them in as to why Uber treats them as it does.

From the Economist‘s report: “Uber has declined to provide comprehensive data that the drivers have requested access to over the past two years. The requests, made separately, are now bundled up as one with Ravi Naik, a lawyer who is also handling data-protection cases against Facebook, Cambridge Analytica and online advertising companies. Uber supplied a limited dataset containing the origin and destination points of the drivers’ trips and some location data. The drivers say that the firm did not offer an explanation for its decision. Uber says it offered a detailed explanation but declined to say what it was.

“On March 20th the drivers sent a letter to Uber, warning the firm that they consider it to be in breach of European data-protection legislation. They say they will appeal Uber’s decision, either to the British, Irish or Dutch data-protection authority, or to the British High Court.”

FACIAL RECOGNITION IS THE SUBJECT of a great piece by my Fortune colleague Jeff John Roberts, who explains how companies are helping themselves to pictures of people’s faces with few legal restrictions.

He writes: “Consumers may be surprised at some of the tactics companies have used to harvest their faces. In at least three cases, for instance, firms have obtained millions of images by harvesting them via photo apps on people’s phones… While companies are able to use the sanctioned collections compiled by government and universities, such as the Yale Face Database, these training sets are relatively small and contain no more than a few thousand faces. These official data sets have other limitations. Many lack racial diversity or fail to depict conditions — such as shadows or hats or make-up — that can change how faces appear in the real world.”