Case Studies

In 2024, PILP took litigation challenging automated decision making through the use of an algorithm by banks in the Netherlands, resulting in discrimination against people with "exotic" sounding names, whose

On 18 June 2021, Quad9, a non-profit Domain Name Server (DNS) resolver, received an interim injunction from the District Court of Hamburg, pursuant to an application made by Sony Music.

BIICL’s goal was to file a formal complaint to the European Commission demanding that they open an investigation into Meta on the basis that Meta are in breach of EU

This grant supports a case by Netherlands-based activist, Frank van der Linde. The case involves an application to the Court of Justice of the European Union (CJEU) to consider the

In October 2024, La Quadrature du Net (LQDN) along with 14 other organisations began litigation against a risk-scoring algorithm used by the CNAF (Caisse nationale d’allocations familiales), the family branch

GFF believe that information about algorithm-driven technology used by state bodies in Germany should be accessible to anyone who wants to scrutinise it. When the public can check that technology

The Center for Civil and Human Rights are taking litigation to challenge the disparate impact felt by some groups in Slovakia, in particular the Romani minority, due to unequal access

The “Top 400” programme in Amsterdam profiles minors and young adults to predict the 400 most likely to commit serious crimes. This programme is problematic because it disproportionately targets marginalised

People residing in Germany without German citizenship have their personal data automatically stored in a centralised database that can be accessed and shared by more than 14,000 government agencies. The

Defend Digital Me undertook both a complaint to the Information Commissioner's Office and a judicial review of the UK Department for Education, aiming to stop its attendance tracker trial programme.

The EU Passenger Name Record (PNR) Directive obliges airlines to collect personal, and sometimes potentially sensitive, data of travellers and share it with government authorities. The data is mined and

Based on research carried out by Tracking Exposed (now rebranded into Reversing Works), privacy activists lodged a complaint before the data protection authority (DPA) of Italy. In November 2024, after

Privacy First are challenging the Dutch Automatic Number Plate Recognition (ANPR) Act, which was adopted in November 2017 and entered into force in January 2019. The Act enables the Dutch

In 2019, the UK Police brought in new regulations on how police officers should gather data-based evidence to investigate certain criminal cases. Under the policy, police can request that the

Thermal scanning has expanded in pandemic times to places like airports, schools, workplaces, and retailers. The concern is that unlawful and unevidenced use could lead to unnecessary violations of data

The Child Poverty Action Group (CPAG) is taking litigation in the UK related to the universal credit system administered by the UK Department for Work and Pensions. Universal credit is

Amid a worsening climate for free expression in Serbia, journalists and activists have become key targets of digital rights violations, driven by state repression and intrusive surveillance practices. IJAS has

In Germany, since 2017, citizens’ personal information and photographs from their ID cards have been stored in registers that are accessible to various state bodies. Under German law, authorities such

In March 2020, France introduced an emergency law imposing a strict lockdown on the whole country. People who did not comply were subject to fines and even jail time. Authorities

Campaign Against Homophobia are supporting two LGBTQI+ activists in litigation up to the European Court of Human Rights to challenge the lack of practical tools to fight against the excessive

Digital Rights Ireland are taking a “mass action” lawsuit against Facebook. They will represent users who have been affected by the 3 April 2021 release of computer files containing personal

Based on research carried out by Tracking Exposed (now rebranded into AI Forensics) since 2019, privacy activists have lodged complaints before the data protection authorities of Italy and Cyprus alleging

Under the guise of detecting potential welfare and tax fraud, the Dutch government introduced a computerised system (System Risk Indication or “SyRI”) that profiled individuals based on vast pools of

In December 2021, the Norwegian Data Protection Authority (DPA) issued an administrative fine of NOK 65 million (around EUR 6.5 million) against dating app Grindr for disclosing personal information about

In 2019, the Bulgaria National Revenue Agency servers were hacked, compromising personal data of approximately six million people. KDBM believes the hack was partly due to deficient security practices and

CIJ is preparing for litigation enforcing the EU Digital Services Act (DSA) to address gender-based censorship by Meta platforms and other Very Large Online Platforms (VLOPs). CIJ found that Meta

Partners Serbia are challenging the illegal acquisition of automatic facial recognition equipment by education and health institutions in Serbia. The litigation will start with motions for the initiation of an

Foxglove, with the Independent Publishers Alliance, is pushing UK and European competition regulators to intervene and stop Google from using AI tools to scrape the work of independent news reporters

As exams were shifted online during the COVID-19 pandemic, some German universities began to use proctoring software to monitor students taking their exams. This software may violate fundamental rights by

SLAPP Watch Coalition are involved in litigation to challenge blocking orders on a Kurdish-language news portal.The are aiming for a Constitutional Court or European Court of Human Rights ruling that

In Spain, the data of millions of freelance workers is shared unlawfully by the registrar of freelance workers and the tax authorities with other public authorities, who then repurpose the

In Germany, public health insurance providers will soon begin transferring anonymised health data of millions of people to institutions for research. However, the security standards for the storage and transfer

The Digital Services Act (DSA) and Digital Markets Act (DMA) recently came into force, creating an elaborate system of rules for digital services, such as social media or online marketplaces.

With the support of the 5Rights Foundation, Good Law Project made a submission in May 2025 to the UK Competition and Markets Authority (CMA) against Apple and Google app stores

Due to the COVID-19 pandemic many educational institutions in the UK have moved exams online and are turning to remote proctoring as a monitoring solution. This potentially results in a

ERRC state that the digitalisation of public services in Albania and Bulgaria has amplified systemic inequalities, disproportionately affecting marginalised communities, particularly Roma. While these initiatives were introduced to modernise administrative

5Rights is pressing for investigatory action against a widely-used American app popular among young children worldwide, citing significant safety concerns including inadequate protection of minors from bad actors, high likelihood

The Ministry of Justice in Poland is using a computer system to randomly allocate cases to judges. Some judges claim that since the system was deployed, they have been given

“Gig workers” are oppressed, misclassified as self-employed and denied the right to a minimum wage, as well as freedom from discrimination and unfair dismissal. Their oppression is exacerbated by digitisation,

Constitutional complaint against the amendment of the telecommunication surveillance regulation (“G10” ), which for the first time grants all 19 German intelligence services the right to use malware to surveil

Mousse are challenging the use of online forms requiring people to indicate whether they consider themselves to be ‘Mr’ or ‘Ms’, which allow public and private bodies to collect data

AI systems rely on significant labour for their training and deployment. There are millions of data workers in the world who feed AI systems by producing, categorising and correcting data.

To help deal with the COVID-19 pandemic, governments are developing and rolling out apps related to contact-tracing, symptom-tracking, exposure notification, and quarantine-enforcement. Many governments are not taking data protection and

noyb is taking litigation against the Luxembourg data protection authority (CNPD), challenging the inactivity of the CNPD in response to a complaint filed against Amazon back in 2019. noyb argues

TGEU will support efforts across multiple European countries to advance the rights of marginalised trans communities and their rights to recognition of private life in the EU. Specifically, the project

The UK Department of Education collects highly sensitive personal data about students for the National Pupil Database, which is routinely shared with other departments and third parties for academic and

The General Data Protection Regulation (GDPR) is supposed to give users a free choice as to whether or not they agree to the collection of their personal data. However, when

Facebook and other online platforms have been criticised for their role in arbitrarily censoring legal content that is shared through their services. Without explanation Facebook removed pages belonging to Spoleczna

The online advertising industry (adtech) is built on the trade of personal data, including intimate and sensitive details about individuals. Information about individuals is shared and sold across thousands of

Association IUS Omnibus, supported by Spanish law firm Suderow Fernandez Abogadas, plan to file a class action lawsuit against Flo Health, Inc., in Spain, aiming to protect the right to

In Germany, undocumented migrants are at risk of privacy violations and deportation if they try to access healthcare services. This is because the social welfare office is obliged to share

The case addresses unwarranted surveillance of personal devices and communications using Pegasus-type spyware by the Spanish State against civil society and, in particular, against one of the lawyers spied on

In mid-2019, the media revealed that the UK Home Office had been using an algorithm/automated computer system for five years to process visa applications. Foxglove and JCWI argued that the

The UK Investigatory Powers Act gives the government the power to gather information about what people say and do online, even when they are not suspected of a crime. In

Domestic law on surveillance in Hungary does not require individuals who have been subjected to surveillance measures to be notified of that fact. This means there are no adequate safeguards

Ireland recently deployed a “Public Services Card” – an ID card with an electronic chip letting the government store people’s personal data (including photos). Digital Rights Ireland say the system

Spanish authorities blocked the website of Women on Web (WOW), a non-profit organisation sharing information on safe medical abortions. This coincides with an increase in barriers faced by women and

A Luxembourg resident discovered that their data was collected and offered for sale by Apollo and RocketReach, two US-based companies which collect and commercialise personal data on different online platforms.

Online data brokers and advertising technology (adtech) companies gather data and build intricate profiles of internet users, which are then shared and sold to thousands of advertisers. Users have limited

The German government is using copyright law to suppress documents published online, which have been legally obtained through freedom of information requests and contain information important for the public interest.In

The UK Investigatory Powers Act (IPA) grants the government power to collect and store information about everything people do and say online. This includes emails, texts, calls, location data and

Partners Serbia will implement a litigation and advocacy project that puts Serbia, and the Western Balkans, on a rights-centred path toward the EU Digital Single Market (DSM). In June 2024

front-LEX is requesting the Court of Justice of the European Union (CJEU) to outlaw the European Border and Coast Guard Agency’s (Frontex’s) policy of systematically sharing the geolocation data of

According to Human Rights Monitoring Institute (HRMI), in Lithuania in 2019, telecommunications companies were legally required to collect and store users' personal communications data. This included information about who sent