Case analyses

The case analyses provided here were carried out with external support and discussions with the grantee organisation to provide a more detailed analysis of case development and the application process.

Class Action Case Against the Bulgarian National Revenue Agency

In 2019, an anonymous hacker breached the systems of the Bulgarian National Revenue Agency. This resulted in one of Bulgaria’s largest data breaches, compromising the personal data and financial details of millions of people. This incident exposed the lack of security measures put in place by the agency against cyberattacks and gave rise to concerns that the case represented part of a larger data protection problem within public authorities.

Kaldamukov, Dinev, Bliznakova & Mandazhieva Legal Services is taking a collective action lawsuit on behalf of Bulgarian citizens over the data breach and are seeking to compel the National Revenue Agency to better protect people’s data in the future. Download the full case study in PDF here.

Bundesinstitut für Risikobewertung v. Arne Semsrott (Open Knowledge Foundation Germany)

In 2018, the Open Knowledge Foundation Germany (OKF) submitted a freedom of information request to obtain an official report about a controversial weedkiller that could potentially cause cancer in humans. After obtaining the report, OKF published it on their website. The government agency that produced the report then tried to use copyright law to suppress it.

OKF fought the case in court, arguing that the German authorities were misusing copyright law as a way to censor information that the public had a right to see. In November 2020, the court found in favour of OKF. Download the full case study in PDF here.

The Queen (on the Application of Liberty) v Secretary of State for the Home Department and Secretary of State for Foreign and Commonwealth Affairs

In 2016, the UK government passed the Investigatory Powers Act, a piece of legislation commonly referred to as the Snoopers’ Charter, that gave a statutory underpinning to one of the most sweeping surveillance regimes in the world. It provided for the collection and storage of anything at all that a person shares online, even personal communications such as phone calls and emails, whether or not that person is accused of any wrongdoing. It even gave the authorities the power to hack into people’s devices and computers to gather information.

Liberty brought a case to challenge this intrusive legislation before the courts. In April 2018, the courts found parts of the legislation to be unlawful. However, in July 2019, a court upheld some of the “bulk powers” in the law to hack, intercept and collect communications data. Liberty intends to appeal the latter decision. Download the full case study in PDF here.

Open Rights Group Pre-litigation Research for AdTech Complaints

Every time anyone opens a webpage that uses personalised adverts, data about that person is immediately broadcast to hundreds of thousands of entities across a data supply chain that underpins the online advertising industry. This process is referred to as “Real Time Bidding.”

Open Rights Group is working with a coalition of partners filing complaints with Data Protection Authorities across Europe arguing that data processing that takes place in online advertising (i.e. adtech) is in breach of data protection law. By the end of 2020, complaints had been filed in 21 jurisdictions across Europe. Download the full case study in PDF here.

Centre for Women’s Justice v. UK National Police Chiefs’ Council

In April 2019, police forces in England and Wales established a formal practice of mobile phone extraction, including the collection and review of text messages, images, communication and other data on a person’s phone, for the purpose of criminal investigation. This practice was relied on to pressurise and coerce victims of crime, including of sexual offences, to hand over their devices for extraction.

The Centre for Women’s Justice, with the support of Big Brother Watch, sought to challenge this practice before the courts. Before the case could be considered by a court, police forces in England and Wales withdrew the impugned practice. The Centre for Women’s Justice and Big Brother Watch are monitoring the situation, and hope that future practices for criminal investigation are human rights compliant. Download the full case study in PDF here.

The Joint Council for the Welfare of Immigrants v. UK Secretary of State for the Home Department

In 2019, the media uncovered that the UK Home Office was using a secret algorithm to stream visa applications. This algorithm would automatically label visa applications as either ‘red,’ ‘amber,’ or ‘green.’ Those applicants flagged as ‘red’ would find their visas shut out or slowed down.

Foxglove and the Joint Council for the Welfare of Immigrants took legal action on the basis that this algorithm entrenched inaccurate and unfair decision making, and discriminated against visa applications of people from certain countries. They filed a claim against the UK government demanding they introduce regulations that ensure fairness, transparency and accountability in relation to use of such an algorithm. Download the full case study in PDF here.

Secret, targeted surveillance in Hungary

In Hungary, the laws that facilitate targeted surveillance of individuals do not require that these individuals be notified of the fact that they have been subjected to surveillance measures. This means there are no adequate safeguards in place for individuals to find out about or challenge unwarranted surveillance.

The Hungarian Civil Liberties Union is taking three interrelated cases arguing that there is no effective remedy against unlawful surveillance in Hungary. By pursuing this litigation, they hope to encourage a more conducive legal environment for human rights defenders and activists to challenge surveillance and strengthen their freedom of expression and right to privacy. Download the full case study in PDF here.

ePaństwo Foundation v. Ministry of Justice of Poland

In Poland, the Ministry of Justice has developed an algorithm that is used to allocate cases to judges. There are concerns that the algorithm is inherently unfair and biased, but its details are kept secret from the public. The ePaństwo Foundation argue that such algorithms should be accessible through freedom of information law.

In 2018, the ePaństwo Foundation filed a freedom of information request to get access to information about the algorithm. The government refused to share any information about how the algorithm was built, how it worked, and what data it used. The ePaństwo Foundation has appealed this refusal up to the Supreme Administrative Court, where they are arguing that the algorithm is public information that should be available to citizens. Download the full case study in PDF here.

NJCM, Platform Bescherming Burgerrechten and others v. The Netherlands (the SyRI case)

The System Risk Indication (SyRI) is a risk-scoring algorithm used by the Dutch authorities to identify those likely to commit welfare fraud. The system relies on personal and sensitive data that is pooled from the databases of various public bodies and has been criticised for being biased, discriminatory, intrusive and inaccurate. A coalition of NGOs, led by the Public Interest Litigation Project (PILP-NJCM) and the Platform Bescherming Burgerrechten, joined forces with a Dutch trade union federation and two authors to bring litigation challenging SyRI on human rights grounds.

This is one of the first cases in Europe to challenge state use of “predictive policing” type tools to surveil and profile welfare recipients. In 2019, hearings were held before the First Instance Court of the Hague and, on 5 February 2020, the court ruled that the law underpinning SyRI was in violation of the right to private life under the European Convention of Human Rights. Download the full case study in PDF here.

De Capitani and others v. Federal Republic of Germany, Criminal Police Office of Austria and others

The EU Passenger Names Record (PNR) Directive requires EU states to collect the personal data of airline passengers flying in and out of the EU, including email addresses, credit card details, IP addresses and even on-board meal choices. The Gesellschaft fuer Freiheitsrechte (GFF) and epicenter.works argue that the collection and analysis of this data amounts to illegal mass surveillance, and leaves certain individuals vulnerable to discrimination by the authorities.

The two organisations are taking a number of strategic cases before civil and administrative courts in Germany, as well as the Data Protection Authority in Austria, arguing that the data retention under the Directive is illegal and violates human rights. The ultimate goal of the litigation is to obtain a judgment from the Court of Justice of the European Union invalidating the Directive. Download the full case study in PDF here.

SIN v. Facebook

Polish civil society organisation SIN provides drug education and supports drug users by cautioning against the harmful effects of psychoactive substances. Through their Facebook page and group they promoted activities, organised events, managed volunteers and responded to requests for support. In March 2018, Facebook suddenly removed SIN’s Facebook pages and groups.

With the help of Panoptykon, SIN has filed a lawsuit against Facebook. The case is an example of using strategic litigation to ensure private companies respect social media users’ rights to free speech and fair process, and has the potential to empower them to bring claims against private censorship online. Download the full case study in PDF here.

These case evaluations were developed and designed with the help of Jennifer Easterday, Alice Sachrajda and 05creative*.