Testing a Framework for Setting GDPR Litigation Priorities

By Jonathan McCully, 18th October 2019

Data protection rights are engaged in nearly every aspect of our lives. From taking public transport, to registering to vote, exercising, and shopping. Under the recent General Data Protection Regulation (GDPR), there are significantly more opportunities for cases to be taken to vindicate data protection rights across these different domains.

However, with capacity and resources being limited, it can be difficult to know where to begin when it comes to enforcing this important piece of legislation. When trying to develop a strategy for GDPR litigation, a number of questions might arise: Where are the most pressing areas for GDPR work? What factors should we look at when setting litigation priorities? What metrics can we use, as a field, to pin-point shared litigation goals that we can collectively work towards?

At DFF’s meeting last month on unlocking the GDPR’s strategic litigation opportunities, participants discussed and critiqued a nascent framework that could help in answering some of these questions. The framework emerged from conversations DFF held leading up to the event with litigators seeking to leverage the GDPR in their digital rights litigation. It is intended to act as a tool to help establish shared GDPR litigation priorities.

Using a revised version of Maslow’s Hierarchy of Needs, the framework involves the application of a pyramid of “human needs” to the GDPR context to help establish what the most pressing issues might be when it comes to GDPR litigation. At the bottom of the pyramid are the higher priority needs of “social connection and social collaboration” (e.g. teamwork, the feeling of belonging, and family and community ties), “physiological needs” (e.g. access to food, water, shelter, and warmth) and “safety needs” (e.g. job security, adequate resources, health, and safe environments).

A Draft Framework for GDPR Litigation Priorities Based on Maslow’s Hierarchy of Needs

What do these needs have to do with the GDPR? Some of these fundamental needs can be served through the protection and promotion of data protection rights alongside other areas of human rights enforcement. For instance, some unlawful data processing practices may be hindering, deterring or even preventing individuals from accessing social security provisions and similar public services that serve a fundamental physiological need. While other unlawful data processing practices may contribute towards workplace surveillance, discrimination, and unfair hiring/dismissal practices that threaten job security, access to resources and the forging of social connections. Visualising where certain GDPR issues fall across this spectrum of human needs can be a useful way of establishing those issues that are of highest priority in our broader push for promoting and protecting the right to data protection.

During the meeting, participants reiterated that it would be useful to have a workable framework that could help establish shared goals and priorities for GDPR litigation. A number of participants observed that the draft framework was a useful way of linking GDPR work more concretely to other civil society and human rights movements. Others noted that it was an intuitive way of identifying harms or damage that might result from data protection violations and working from there, rather than a specific breach of a GDPR provision. They also noted that it was a useful exercise for taking a step back from specific GDPR non-compliance and thinking about what the real-world impact of our GDPR enforcement actions might be.

A number of constructive observations were also made about the framework and how it might be revised. For instance, using a hierarchy of needs in the human rights context gives rise to a number of concerns. Human rights should be protected equally and should not be viewed as a hierarchy of protections. Perhaps, therefore, the framework should be visualised as a circle of inter-connected human needs rather than a pyramid? The framework also fails to capture the systemic nature of some data protection harms, and how the widespread nature of some violations may render them more pressing and of higher priority. Finally, questions were raised about when and how it might be most useful to use a framework like this. Would it be most useful for mapping out organisational priorities for GDPR work? Or would it be better suited as a tool for identifying cases or communicating the impact of data protection issues to the general public?

At the event, a number of participants expressed an interest in discussing, critiquing and hacking this framework further to see if it can be developed into a practical tool for identifying and articulating strategic litigation goals. These conversations will be held in the coming weeks. We want to hear from others in the field who would like to join us in this exciting conversation, so please do get in touch if you are interested!