WELCOME to Connected Rights, your hearing in the court of digital rights news and analysis.

Enjoy this newsletter? Forward it to a friend or get them to sign up. I’m David Meyer, aka @superglaze on Twitter and @davidmeyerwrites on Facebook. Don’t forget to check out the Connected Rights website and download a copy of my book, Control Shift: How Technology Affects You and Your Rights. Ahlan wa sahlan!

THE BIG HEARING IN THE SCHREMS II CASE took place yesterday, at the Court of Justice of the European Union (CJEU) in Luxembourg. The stakes are high in this one – the Court could nix both Privacy Shield and standard contractual clauses this time round, thoroughly messing up the transatlantic data flow. So, how did it go?

Everyone argued their well-established lines here, but one notable theme was that the Irish data protection authority really should just be enforcing the rules, not trying to have them declared invalid. Even European Data Protection Board chief Andrea Jelinek joined in: “It is to the supervisor authority to assess, based on a complaint, whether data are protected under standard contractual clauses. If not, they may suspend transfers.”

FRANCE’S NATIONAL ASSEMBLY HAS APPROVED a draft bill requiring the Facebooks and Twitters of this world to take down hateful content within 24 hours of notification. Failure to comply could incur fines of up to 4% of global turnover – that’s GDPR-grade stuff, and makes Germany’s €50 million cap look modest. However, the definition of illicit content in the bill is rather blurry, and digital rights activists are warning of overblocking and potentially even politically motivated censorship.


There’s a debate going on in Detroit about the use of the technology by the local police, with people expressing concerns over racially-biased systems. From the New York Times: “When James White, an assistant police chief in charge of the Detroit Police Department’s technology, rose to respond to critics at the public hearing, he provided unexpected backup to the charge that the software comes with baked-in bias. He himself, the assistant chief said, had been misidentified as other African-American men by the facial recognition algorithm that Facebook uses to tag photos.”

In the UK, an Essex University report suggested that the technology, which is being trialled by the Metropolitan Police, is wrong a good 81% of the time. The Greens say this shows the Met shouldn’t have rushed facial recognition technology into trials; the Tories point out that, well, this is what testing is for. Meanwhile, the chairman of the Met Police staff association said China’s widespread use of the technology is “spot on”.

Back to the US, and according to the Washington Post ICE and the FBI have been merrily scanning through state driver’s license databases, with millions of people’s photos being run through facial recognition systems without them a) knowing about it, and b) having been charged with any crime.

And the digital rights group Fight For the Future wants Congress to ban government use of the tech. Deputy director Evan Greer: “Imagine if we could go back in time and prevent governments around the world from ever building nuclear or biological weapons. That’s the moment in history we’re in right now with facial recognition. This surveillance technology poses such a profound threat to the future of human society and basic liberty that its dangers far outweigh any potential benefits. We don’t need to regulate it, we need to ban it entirely.”

THE UK INFORMATION COMMISSIONER’S OFFICE (which has incidentally just warned about the data protection implications of facial recognition) has suddenly gotten busy on the GDPR-fining front. In the last few days, it has announced its intention to fine Marriott International over £99 million, and British Airways over £183 million.

Both potential fines come as the result of GDPR violations – but specifically security-related ones. Both companies suffered data breaches; BA’s shoddy security allowed attackers to harvest half a million customers’ data by diverting them to a fraudulent site, while the Marriott/Starwood attack saw the exposure of 338 million guest records.

Information commissioner Elizabeth Denham, commenting on the Marriott debacle: “Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

THE ICO HAS RECEIVED A COMPLAINT FROM supporters of Conservative Party leadership candidate Jeremy Hunt, who allege that Boris Johnson’s team broke data protection laws by using party membership email lists to promote their man without people’s consent.

THE BRITISH INTERNET SERVICE PROVIDERS ASSOCIATION nominated as “Internet Villain” of the year… Mozilla! Why? Because Mozilla intends to support the DNS-over-HTTPS protocol “in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK.”

From ZDNet’s Catalin Cimpanu: “This protocol design means that a user’s DNS requests are invisible to third-party observers, such as ISPs; and all DoH DNS queries and responses hidden inside a cloud of encrypted connections, indistinguishable from the other HTTPS traffic. In theory, the protocol is a dream [for] privacy advocates, but a nightmare for ISPs and makers of network security appliances.”

Then, following negative publicity, ISPA withdrew the nomination. It wrote: “In the 21 years the event has been running it is probably fair to say that no other nomination has generated such strong opinion. We have previously given the award to the Home Secretary for pushing surveillance legislation, leaders of regimes limiting freedom of speech and ambulance-chasing copyright lawyers. The villain category is intended to draw attention to an important issue in a light-hearted manner, but this year has clearly sent the wrong message, one that doesn’t reflect ISPA’s genuine desire to engage in a constructive dialogue. ISPA is therefore withdrawing the Mozilla nomination and Internet Villain category this year.”

ANYONE WITH MORE THAN 30,000 SOCIAL MEDIA FOLLOWERS is classified as a celebrity and is therefore subject to advertising rules, the UK’s Advertising Standards Authority has decided. That means, for example, that popular platform-users can’t endorse medical products.

DO READ GRAHAM SMITH’S submission to the UK government’s Online Harms consultation. Key quotes: “A generic duty of care is the exception, not the norm… Limits on duty of care exist for fundamental policy reasons… The White Paper does not acknowledge its radical departure from existing principles.”

MICROSOFT’S EBOOK STORE IS NOW CLOSED, and that doesn’t just mean people can’t buy ebooks there anymore; it means those who previously did so can no longer read them, thanks to digital rights management. On the plus side, they get a refund…