Case studies
DFF supports strategic litigation to advance digital rights in Europe, by providing financial support for strategic court cases and catalysing collaboration between those working to advance digital rights.
Strategic litigation – litigation with broad impact and which can bring about legislative or policy change – has proven to be a crucial lever to protect human rights in the digital realm.
The case studies provided here illustrate some of the important digital rights work of our grantees, which DFF is proud to support. Due to the context or sensitivity of some projects, not all the work DFF is supporting is shown here. We will continue to add case studies over time as new grants are approved and projects progress.
We have also produced more in-depth analyses of the impact, background, development and the application process on 11 of the case studies below, accessible here.
The case studies can be filtered by thematic focus area or type of grant support.
Extraction of asylum seeker mobile data in Germany
The German Asylum Act grants the Federal Ministry for Migration and Refugees the power to access the mobile devices of migrants and asylum seekers, without a warrant, in order to
Systematic violations of trans refugees’ digital identity rights
Urgence Homophobie is preparing strategic litigation to challenge systematic violations of trans refugees’ digital identity rights in France. According to Urgence Homophobie, in a context of full administrative digitalisation creating
Discrimination from required use of gender binary options on online forms
Mousse are challenging the use of online forms requiring people to indicate whether they consider themselves to be ‘Mr’ or ‘Ms’, which allow public and private bodies to collect data
Digital Services Act and Digital Markets Act designation dispute interventions
The Digital Services Act (DSA) and Digital Markets Act (DMA) recently came into force, creating an elaborate system of rules for digital services, such as social media or online marketplaces.
Exploitation of workers who train AI systems
AI systems rely on significant labour for their training and deployment. There are millions of data workers in the world who feed AI systems by producing, categorising and correcting data.
Barriers for Romani communities in accessing essential services due to digitalisation
ERRC state that the digitalisation of public services in Albania and Bulgaria has amplified systemic inequalities, disproportionately affecting marginalised communities, particularly Roma. While these initiatives were introduced to modernise administrative
Discriminatory automated digital identity status check services
Open Rights Group, Migrants’ Rights Network and Migrants At Work sought to determine how a test claim could be brought to challenge the Home Office’s use of automated digital identity
Blocking of access to LGBTQI+ content online
Háttér Society are preparing for litigation challenging the blocking of access to online LGBTQI+ content in Hungary. This relates to the adoption in 2021 of legislation that bans access of
Misuse of data protection law in Spain to stifle speech
In Spain, Xnet carried out research related to two examples where data protection law is being misused by the government to limit people’s rights to freedom of information and expression.
Data breaches by UK Secret Service MI5
The UK Investigatory Powers Act gives the government the power to gather information about what people say and do online, even when they are not suspected of a crime. In
Illegal Data Collection on Kids by App Stores
With the support of the 5Rights Foundation, Good Law Project made a submission in May 2025 to the UK Competition and Markets Authority (CMA) against Apple and Google app stores
UK’s national pupil database
The UK Department of Education collects highly sensitive personal data about students for the National Pupil Database, which is routinely shared with other departments and third parties for academic and
Online harassment and hate speech through anonymous Facebook pages
Coalition Margins are preparing a strategic legal response to the growing use of anonymous Facebook pages to orchestrate gender-based violence, hate speech, and coordinated attacks on civic activists in North
Misuse of copyright claims in Germany to stifle freedom of information
The German government is using copyright law to suppress documents published online, which have been legally obtained through freedom of information requests and contain information important for the public interest.
Predictive policing of minors
The “Top 400” programme in Amsterdam profiles minors and young adults to predict the 400 most likely to commit serious crimes. This programme is problematic because it disproportionately targets marginalised
Gender-Based Censorship of Sexual and Reproductive Health Content by Online Platforms
CIJ is preparing for litigation enforcing the EU Digital Services Act (DSA) to address gender-based censorship by Meta platforms and other Very Large Online Platforms (VLOPs). CIJ found that Meta
Invasive surveillance by the German intelligence service
Constitutional complaint against the amendment of the telecommunication surveillance regulation (“G10” ), which for the first time grants all 19 German intelligence services the right to use malware to surveil
Sharing of health data by German public health insurance providers
In Germany, public health insurance providers will soon begin transferring anonymised health data of millions of people to institutions for research. However, the security standards for the storage and transfer
Women’s rights website blocked in Spain
Spanish authorities blocked the website of Women on Web (WOW), a non-profit organisation sharing information on safe medical abortions. This coincides with an increase in barriers faced by women and
The “SyRI” welfare fraud risk-scoring algorithm
Under the guise of detecting potential welfare and tax fraud, the Dutch government introduced a computerised system (System Risk Indication or “SyRI”) that profiled individuals based on vast pools of
Mass collection of personal communications data
According to Human Rights Monitoring Institute (HRMI), in Lithuania in 2019, telecommunications companies were legally required to collect and store users’ personal communications data. This included information about who sent
Intrusive impacts of remote proctoring by universities in Germany
As exams were shifted online during the COVID-19 pandemic, some German universities began to use proctoring software to monitor students taking their exams. This software may violate fundamental rights by
Censorship of Kurdish-language news sites through blocking orders
SLAPP Watch Coalition are involved in litigation to challenge blocking orders on a Kurdish-language news portal. The are aiming for a Constitutional Court or European Court of Human Rights ruling
Apps that risk the privacy, safety and security of children and teens
5Rights is pressing for investigatory action against a widely-used American app popular among young children worldwide, citing significant safety concerns including inadequate protection of minors from bad actors, high likelihood
Restrictive copyright laws in Europe
Copyright is often used as a means to suppress or censor content online. The EU Information Society Directive allows for exceptions, for example in cases of parody or citation, serving
Illegal use of sensitive personal data related to menstruation, health and sex life by Flo Health
Association IUS Omnibus, supported by Spanish law firm Suderow Fernandez Abogadas, plan to file a class action lawsuit against Flo Health, Inc., in Spain, aiming to protect the right to
Gaining access to government algorithms in Germany
GFF believe that information about algorithm-driven technology used by state bodies in Germany should be accessible to anyone who wants to scrutinise it. When the public can check that technology
Data sharing between health services and immigration authorities in Germany
In Germany, undocumented migrants are at risk of privacy violations and deportation if they try to access healthcare services. This is because the social welfare office is obliged to share
Secret algorithms and hidden data flows violating rights of “gig workers”
“Gig workers” are oppressed, misclassified as self-employed and denied the right to a minimum wage, as well as freedom from discrimination and unfair dismissal. Their oppression is exacerbated by digitisation,
Invasive surveillance through thermal scanning
Thermal scanning has expanded in pandemic times to places like airports, schools, workplaces, and retailers. The concern is that unlawful and unevidenced use could lead to unnecessary violations of data
Discrimination against Muslims caused by algorithm use by banks
In 2024, PILP took litigation challenging automated decision making through the use of an algorithm by banks in the Netherlands, resulting in discrimination against people with “exotic” sounding names, whose
EU Passenger Name Record Directive
The EU Passenger Name Record (PNR) Directive obliges airlines to collect personal, and sometimes potentially sensitive, data of travellers and share it with government authorities. The data is mined and
The adtech industry’s unlawful data flows
The online advertising industry (adtech) is built on the trade of personal data, including intimate and sensitive details about individuals. Information about individuals is shared and sold across thousands of
Abuse of user data for AI training by Meta
Partners Serbia will implement a litigation and advocacy project that puts Serbia, and the Western Balkans, on a rights-centred path toward the EU Digital Single Market (DSM). In June 2024
Misuse of freelance workers’ data in Spain
In Spain, the data of millions of freelance workers is shared unlawfully by the registrar of freelance workers and the tax authorities with other public authorities, who then repurpose the
EU Data Adequacy and Digital Trade
In January 2019, the EU’s European Commission granted adequacy to Japan for its data protection laws, allowing personal data to flow freely between the EU and Japan. The adequacy decision
Mass surveillance through biometric ID cards in Germany
In Germany, since 2017, citizens’ personal information and photographs from their ID cards have been stored in registers that are accessible to various state bodies. Under German law, authorities such
Facebook data breach mass action
Digital Rights Ireland are taking a “mass action” lawsuit against Facebook. They will represent users who have been affected by the 3 April 2021 release of computer files containing personal
Ireland’s ID card for accessing public services
Ireland recently deployed a “Public Services Card” – an ID card with an electronic chip letting the government store people’s personal data (including photos). Digital Rights Ireland say the system
Data protection and data transfer issues for transgender people
The Lambda Warsaw Association is preparing for litigation in Poland related to data protection and data transfer issues experienced by transgender people in the process of and after getting their
Copyright enforcement by private parties against internet intermediaries
On 18 June 2021, Quad9, a non-profit Domain Name Server (DNS) resolver, received an interim injunction from the District Court of Hamburg, pursuant to an application made by Sony Music.
UK Home Office visa application streaming algorithm
In mid-2019, the media revealed that the UK Home Office had been using an algorithm/automated computer system for five years to process visa applications. Foxglove and JCWI argued that the
Digital surveillance and repression of the Palestinian people through technology provided by Spanish companies
The Grant supports NOVACT and SUDs to research how Spanish companies can be held legally accountable for their role in the digital surveillance and repression of the Palestinian people, and
Unlawful location monitoring of Glovo riders
Based on research carried out by Tracking Exposed (now rebranded into Reversing Works), privacy activists lodged a complaint before the data protection authority (DPA) of Italy. In November 2024, after
UK’s Snoopers’ Charter
The UK Investigatory Powers Act (IPA) grants the government power to collect and store information about everything people do and say online. This includes emails, texts, calls, location data and
France criminal records database expanded during COVID-19
In March 2020, France introduced an emergency law imposing a strict lockdown on the whole country. People who did not comply were subject to fines and even jail time. Authorities
Sweden’s unjust “Snitch law”
In Sweden, the so-called new “Snitch Law”, likely to enter into law in 2026, would force public employees to contact the Police Authority if they have reason to assume that
Intrusive and discriminatory impacts of remote proctoring in the UK
Due to the COVID-19 pandemic many educational institutions in the UK have moved exams online and are turning to remote proctoring as a monitoring solution. This potentially results in a
Facebook’s private censorship
Facebook and other online platforms have been criticised for their role in arbitrarily censoring legal content that is shared through their services. Without explanation Facebook removed pages belonging to Spoleczna
Illegal data sharing by Grindr
In December 2021, the Norwegian Data Protection Authority (DPA) issued an administrative fine of NOK 65 million (around EUR 6.5 million) against dating app Grindr for disclosing personal information about
Access to government algorithms in Poland
The Ministry of Justice in Poland is using a computer system to randomly allocate cases to judges. Some judges claim that since the system was deployed, they have been given
Discriminatory welfare risk-scoring algorithm
In October 2024, La Quadrature du Net (LQDN) along with 14 other organisations began litigation against a risk-scoring algorithm used by the CNAF (Caisse nationale d’allocations familiales), the family branch
Unlawful Biometric Surveillance in Serbian Healthcare and Education Institutions
Partners Serbia are challenging the illegal acquisition of automatic facial recognition equipment by education and health institutions in Serbia. The litigation will start with motions for the initiation of an
Collection and mass storage of data through automatic number plate recognition
Privacy First are challenging the Dutch Automatic Number Plate Recognition (ANPR) Act, which was adopted in November 2017 and entered into force in January 2019. The Act enables the Dutch
Collusion and discriminatory practices by urban transportation platforms
Association Taxi Project 2.0 carried out pre-litigation research to support the preparation of a complaint(s) against ride-sharing companies in Spain. Taxi Project has been analysing the behaviour of dynamic pricing
Homophobic hate speech on social media
Campaign Against Homophobia are supporting two LGBTQI+ activists in litigation up to the European Court of Human Rights to challenge the lack of practical tools to fight against the excessive
COVID-19 apps in Europe violating data protection and privacy
To help deal with the COVID-19 pandemic, governments are developing and rolling out apps related to contact-tracing, symptom-tracking, exposure notification, and quarantine-enforcement. Many governments are not taking data protection and
UK Police “digital strip search”
In 2019, the UK Police brought in new regulations on how police officers should gather data-based evidence to investigate certain criminal cases. Under the policy, police can request that the
Meta’s abuse of its dominant position in the social networking market
BIICL’s goal was to file a formal complaint to the European Commission demanding that they open an investigation into Meta on the basis that Meta are in breach of EU
Digital surveillance of social protection in Serbia
In Serbia, the Law on Social Card was adopted in 2021, establishing an electronic register containing the data of beneficiaries of social protection schemes, and enabling automated processing of data
Illegal use of personal data by Meta
The General Data Protection Regulation (GDPR) is supposed to give users a free choice as to whether or not they agree to the collection of their personal data. However, when
Access to information about online political advertising
K-Monitor is preparing for litigation challenging the lack of recourse for getting information about online political advertising on social media platforms. K-Monitor believes that online political advertising has a decisive
Data protection violations by data brokers
Online data brokers and advertising technology (adtech) companies gather data and build intricate profiles of internet users, which are then shared and sold to thousands of advertisers. Users have limited
Inactive Data Protection Authorities
noyb is taking litigation against the Luxembourg data protection authority (CNPD), challenging the inactivity of the CNPD in response to a complaint filed against Amazon back in 2019. noyb argues
Surveillance and hidden data sharing by Europol
This grant supports a case by Netherlands-based activist, Frank van der Linde. The case involves an application to the Court of Justice of the European Union (CJEU) to consider the
Mass surveillance of electronic communications metadata
The Greek law on the retention of electronic communications metadata (Law 3917/2011) was not revised following the 2014 ruling of the Court of Justice of the European Union (CJEU), which
Real-time attendance tracking of students
Defend Digital Me undertook both a complaint to the Information Commissioner’s Office and a judicial review of the UK Department for Education, aiming to stop its attendance tracker trial programme.
Discriminatory digital policies that marginalise Roma communities
The Center for Civil and Human Rights are taking litigation to challenge the disparate impact felt by some groups in Slovakia, in particular the Romani minority, due to unequal access
Injustice due to digitalisation of means tested welfare benefits
The Child Poverty Action Group (CPAG) is taking litigation in the UK related to the universal credit system administered by the UK Department for Work and Pensions. Universal credit is
Digital identity systems that infringe upon the rights of LGBTQI+ individuals
Accept is preparing for litigation related to Romania’s implementation of digital identity systems and their violation of EU law. They will develop a litigation strategy ensuring the protection of LGBTI+
Use of facial recognition technology by law enforcement and judicial authorities in Italy
StraLi for Strategic Litigation (StraLi) is preparing a strategic path to challenge the use of facial recognition technology by law enforcement and judicial authorities in Italy. They will also identify
Non-Consensual Tracking on Pornhub
Based on research carried out by Tracking Exposed (now rebranded into AI Forensics) since 2019, privacy activists have lodged complaints before the data protection authorities of Italy and Cyprus alleging
Mass data breach by the Bulgaria National Revenue Agency
In 2019, the Bulgaria National Revenue Agency servers were hacked, compromising personal data of approximately six million people. KDBM believes the hack was partly due to deficient security practices and
Digital practices that violate freedom of thought and opinion
Internet users are being profiled and targeted by various online and digital business practices in a way that influences how they think. Examples include the use of targeted advertising or
Processing of sensitive personal medical data in Czech Republic
In October 2024, IuRe filed a lawsuit with the Municipal Court in Prague to challenge the processing and use of sensitive personal medical data by the Czech Institute of Health
Secret, targeted surveillance in Hungary
Domestic law on surveillance in Hungary does not require individuals who have been subjected to surveillance measures to be notified of that fact. This means there are no adequate safeguards
Invasion of privacy of people living with HIV by medical institutions
Association Stronger Together Skopje (the Association) believe that the North Macedonia Ministry of Health’s data system, MojTermin leads to medical data of patients being processed and accessed by all medical
Enforcement of EU data protection law against non-EU companies
A Luxembourg resident discovered that their data was collected and offered for sale by Apollo and RocketReach, two US-based companies which collect and commercialise personal data on different online platforms.
Use of spyware against freedom of expression in Serbia
Amid a worsening climate for free expression in Serbia, journalists and activists have become key targets of digital rights violations, driven by state repression and intrusive surveillance practices. IJAS has
Unlawful surveillance and data-sharing of asylum seekers by the European Border and Coast Guard Agency
front-LEX is requesting the Court of Justice of the European Union (CJEU) to outlaw the European Border and Coast Guard Agency’s (Frontex’s) policy of systematically sharing the geolocation data of
Restricted data protection rights for non-citizens in Germany
People residing in Germany without German citizenship have their personal data automatically stored in a centralised database that can be accessed and shared by more than 14,000 government agencies. The
Government use of spyware against civil society in Spain
The case addresses unwarranted surveillance of personal devices and communications using Pegasus-type spyware by the Spanish State against civil society and, in particular, against one of the lawyers spied on
Exploitation of sensitive personal medical data by commercial entities
medConfidential is examining possible legal action in relation to the unlawful processing of patients’ medical data by Sensyne Health plc, a private company, which has data sharing agreements with several
The use of Pegasus malware on UK-based smartphones
GLAN are working in partnership with Bindmans LLP to devise a strategic litigation approach to achieve accountability for the use of Pegasus malware on UK-based smartphones in violation of individuals’
Misuse of technology against people on the move in Closed Controlled Access Centres
Border Violence Monitoring Network (BVMN) and I Have Rights, a refugee law clinic based in Samos, Greece, are preparing for litigation challenging the technology and surveillance infrastructure of the Samos
Complaints to data protection authorities pushing for the investigation of data brokers, adtech companies and credit rating agencies in the advertising technology industry.
Organisation: Privacy International
Grant type: Emergency Litigation
Thematic area: Privacy and data protection
defenddigitalme is taking legal action against the UK Department of Education to ensure that the data of students is collected and processed lawfully, fairly, and transparently.
Organisation: defenddigitalme
Grant type: Single Instance Litigation
Thematic area: Privacy and data protection
Litigation challenging website censorship and demanding that access to sexual and reproductive health services be recognised as a key part of the right to information in Spain.
Organisation: Women’s Link Worldwide, with Women on Web
Grant type: COVID-19 Litigation Fund
Thematic area: Free flow of information online
Litigation challenging the collection of personal data of airline passengers and the sharing of this data with government authorities.
Organisation: epicenter.works and Gesellschaft für Freiheitsrechte
Grant type: Single Instance Litigation
Thematic areas: Privacy and data protection
Litigation against universities in Germany to stop the processing of personal data through automated online proctoring software.
Organisation: Gesellschaft für Freiheitsrechte
Grant type: COVID-19 Litigation Fund
Thematic area: Privacy and data protection
Litigation to improve security standards and shorten retention periods for sharing of health data by insurance providers with research institutions.
Organisation: Gesellschaft für Freiheitsrechte
Grant type: COVID-19 Litigation Fund
Thematic area: Privacy and data protection
Research to prepare for litigation challenging examples where data protection law is misused by the Spanish government to limit freedom of information and expression
Research preparing for litigation challenging an inadequate data protection regime for people residing in Germany without German citizenship.
Organisation: Gesellschaft für Freiheitsrechte
Grant type: Pre-litigation Research
Thematic area: Privacy and data protection
Litigation to restrict access to photographs and personal information from biometric ID cards.
Organisation: Gesellschaft für Freiheitsrechte
Grant type: Emergency Litigation
Thematic area: Privacy and data protection
Legal action demanding access to information about algorithm-driven technology used by state bodies in Germany
Organisation: Gesellschaft für Freiheitsrechte
Grant type: Emergency Litigation
Thematic area: Privacy and data protection
Research to prepare for litigation to challenge the practice in Germany of accessing sensitive personal data on the mobile devices of migrants and asylum seekers upon arrival in the country.
Organisation: Gesellschaft für Freiheitsrechte
Grant type: Pre-litigation Research
Thematic area: Privacy and data protection
Appeal to gain access to the content of an algorithm used to allocate judges to cases.
Organisation: ePaństwo Foundation
Grant type: Single Instance Litigation
Thematic area: Human rights standards in the use and design of technology
Coordinated complaints to data protection authorities across the EU pushing for changes to the online advertising industry so that users have control over how their data is used.
Organisation: Open Rights Group, Civil Liberties Union for Europe and Panoptykon
Grant type: Pre-litigation Research and Single Instance Litigation
Thematic area: Privacy and data protection
Facebook censorship and changing corporate policies on content moderation towards a fair, transparent, and regulated system.
Organisation: Panoptykon Foundation
Grant type: Single Instance Litigation
Thematic area: Free Flow of Information Online
Litigation preventing the expansion of a criminal record database to include COVID-19 lockdown infringements.
Organisation: La Quadrature du Net
Grant type: COVID-19 Litigation Fund
Thematic area: Privacy and data protection
Cross-jurisdictional litigation action to stop the use of COVID-19 apps that do not respect people’s rights to privacy and data protection.
Organisation: Civil Liberties Union for Europe, with Access Now and member organisations across 12 EU countries
Grant type: COVID-19 Litigation Fund
Thematic area: Privacy and data protection; Human rights standards in the use and design of technology
Research to prepare a strategic case challenging restrictions to copyright exceptions that limit freedom of expression and access to information.
Organisation: Digital Republic Bulgaria, with Defesa dos Direitos Digitais, Homo Digitalis, Centrum Cyfrowe, and Association for Technology and Internation (ApTI)
Grant type: Pre-litigation Research
Thematic area: Free flow of information online
After a legal challenge brought by two victims of rape, the UK police agreed to revoke a “digital strip search” policy.
Organisation: Big Brother Watch
Grant type: Single Instance Litigation
Thematic area: Privacy and data protection
Litigation ensuring the increased roll out of thermal scanning technology does not violate privacy and data protection rights.
Organisation: Big Brother Watch
Grant type: COVID-19 Litigation Fund
Thematic area: Privacy and data protection; Human rights standards in the use and design of technology
Litigation to prevent the use of remote proctoring software until data rights and equality issues are resolved.
Organisation: Open Knowledge Foundation
Grant type: COVID-19 Litigation Fund
Thematic area: Privacy and data protection; Human rights standards in the use and design of technology
Research to prepare a strategic case challenging digital practices that interfere with the rights to freedom of thought and opinion.
Organisation: Susie Alegre and Centre d’étude sur les conflits
Grant type: Pre-litigation Research
Thematic area: Privacy and data protection
Litigation against the UK government challenging the UK Investigatory Powers Act, which grants the government mass surveillance powers.
Organisation: Liberty
Grant type: Single Instance Litigation
Thematic area: Privacy and data protection
Litigation in the UK Investigatory Powers Tribunal challenging data breaches by the UK Security Service.
Organisation: Liberty
Grant type: Single Instance Litigation
Thematic area: Privacy and data protection
A coalition in the Netherlands successfully challenged the use of the “SyRI” risk-scoring algorithm by the Dutch government.
Organisation: A coalition of NGOs, the Dutch trade union federation and two citizens, led by the Public Interest Litigation Project (PILP-NJCM) and Platform Bescherming Burgerrechten
Grant type: Single Instance Litigation
Thematic area: Human rights standards in the use and design of technology