You are here:
  1. Home
  2. News
  3. Blog
  4. Unsocial media: taking on the tech giants

Unsocial media: taking on the tech giants

20 March 2019

Ravi Naik and Shirin Marker from ITN Solicitors discuss your rights to your data and what to be aware of if considering how to bring a case against a tech giant.


Facebook has sought to pivot to privacy. Will Mr Zuckerberg and his company really be trusted by the public to contain and respect our personal information? Given that the Digital, Culture, Media and Sport Committee (pdf) recently called the company "digital gangsters", this may seem unlikely.

Indeed, barely a day goes by without a story concerning Facebook's data practices. At the time of writing, the Wall Street Journal revealed that Facebook can receive information from numerous apps even if, in some cases, the user does not have a Facebook account. These included applications which reportedly shared with Facebook when users were having their periods or were trying to become pregnant. It was also revealed that the company allowed advertisers to directly target people interested in "Nazis" and to spread misinformation about vaccinations.

Such revelations continue to arise at a concerning speed and scale. The reactions to these stories may be the spark of a data rights revolution that will gather pace in the coming years. As Edward Snowden was to government surveillance, Mark Zuckerburg may unwittingly be to personal data protection. The introduction of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) have also alerted tech companies and the wider public to a growing trend in the power of data rights as human rights.

As a result, we are likely to see an increase in cases as individuals seek to assert their rights against tech giants. Such claims are likely to occupy caseloads as well as headlines, what issues should individuals be aware of when considering whether and how to bring a case against a tech giant.  

Jurisdiction: Data flows v legal blows

The first issue is what to do when a tech giant has numerous entities across the globe, often with their main headquarters in the US. How is jurisdiction to apply to data, which can flow across states instantaneously and without restriction? The data protection regime provides some answers.

Under the regime before the GDPR, the Data Protection Directive 1995 (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ), jurisdiction was to apply whenever data processing was carried out "in the context of the activities of an establishment in the territory of a Member State".

How does this work in practice? In our case on behalf of American Professor David Carroll against the now notorious Cambridge Analytica and its parent companies, they sought to reject this jurisdictional position outright, saying that it would be "territorially extravagant" for Professor Carroll to have jurisdiction over his data. Based on this belief, they told the Information Commissioner's Office (ICO) – the regulator of their very business – that as an American, Professor Carroll had no more rights to his data "than a member of the Taliban sitting in a cave in the remotest corner of Afghanistan."

The ICO disagreed. In May 2018, it issued an Enforcement Notice, directing the firm to give Professor Carroll his data. Cambridge Analytica's parent company did not comply and the company pled guilty to the criminal offence of breaching an Enforcement Notice in January 2019.

By prosecuting the company, the ICO emphasised that people outside the UK had data rights and they would be enforceable. "This prosecution, the first against Cambridge Analytica, is a warning that there are consequences for ignoring the law," the information commissioner, Elizabeth Denham, said in a statement following the hearing. "Wherever you live in the world, if your data is being processed by a UK company, UK data protection laws apply."

The GDPR takes matters further, with Article 3 extending jurisdiction to "the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not." That is a broad and sweeping jurisdictional clause. Jurisdiction is not tied to the territory of a state but to the sovereignty of data processing. Whether the data subject is abroad may be irrelevant. Establishment is key.

Data controllers: who controls wins?

A further matter is the question of who is responsible for infringements of the GDPR? The key term under the GDPR is "data controllers".

The Court of Justice of the European Union (CJEU) has held that a "broad definition" should be given to the term "data controller" and confirmed that the concept of "controller of the processing of personal data" may concern several actors taking part in the processing.  The CJEU has also found that there can be joint responsibility between numerous controllers even if they do not all have access to the personal data.

The CJEU's desire to maintain a broad definition of "data controller" is an important practice point for those seeking to bring claims for data protection infringements.

Where are we going?

The remedies available for data infringements under the GDPR have been strengthened. For example, the ICO has been given increased scope to fine data abusers, from less than €1 million under the old regime, to 4% of worldwide turnover or €20 million under the GDPR (whichever is greater).

However, there are limitations. For example, in the absence of a "controller" or "processor", individuals may be left without a remedy. Furthermore, the lack of international harmony over data protection may lead to data piracy, as those that would not seek to respect the law may seek to "offshore" their companies in an attempt to evade accountability. The internationalisation of data rights may become necessary to ensure adequate protection over these fundamental human rights.


Views expressed in our blogs are those of the authors and do not necessarily reflect those of the Law Society.

Ravi is speaking at our half-day conference, Data protection in transition: GDPR and DPA compliance for law firms. Keep up-to-date with evolving data protection laws, the ePrivacy regulation, cybersecurity, and much more. Expert speakers include: Frank Maher partner Legal Risk LLP,  and Peter Wright managing director DigitalLawUK. Tuesday 2 April, 13:00 – 17:10, from £175 + VAT 

Nominate yourself, your firm, a colleague, for the new category Excellence in Access to Justice, or Human Rights Solicitor of the Year for our 2019 Excellence Awards. There is no limit on how many free entries you can submit

Our new Lawtech Report highlights key developments and what this means for the work of the profession and the business of law

Sign up for our weekly GDPR and cybersecurity newsletter to keep yourself up to date

Explore our advice and guidance on GDPR compliance

Explore our cybersecurity resources

Tags: social media

About the author

Ravi Naik, the Law Society's 2018 Human Rights Lawyer of the Year, is a multi-award winning solicitor with a ground breaking practice at the forefront of data rights and technology. Ravi represents clients in some of the most high profile data rights cases. These include the case against Cambridge Analytica for political profiling, claims against Facebook for their privacy policies and data practices, challenges to financial profiling companies and the leading regulatory complaint against the Advertising Technology industry. Ravi is a well-known advocate and speaker on developing rights in technology and has written extensively on the new data rights movement. Ravi is also often sought for his commentary in the media on a range of data rights issues.

Follow Ravi on Twitter

About the author

Shirin Marker is a solicitor specialising in public law and human rights related work. She is developing her practice in data rights, national security and civil claims against government departments. Prior to joining ITN, she spent time at the Brussels office of the Law Society, researching the impact of Brexit on areas such as data protection and national security.

  • Share this page:

Abigail Bright | Adam Johnson | Adele Edwin-Lamerton | Ahmed Aydeed | Alan East | Alex Barr | Alex Heshmaty | Alexa Lemzy | Alexandra Cardenas | Amanda Adeola | Amanda Carpenter | Amanda Jardine Viner | Amy Bell | Amy Heading | an anonymous sole practitioner | Andrew Kidd | Andrew McWhir | Andy Harris | Anna Drozd | Annaliese Fiehn | Anne Morris | Anne Waldron | anonymous female solicitor | Asif Afridi and Roseanne Russell | Bansi Desai | Barbara Whitehorne | Barry Wilkinson | Becky Baker | Ben Hollom | Bhavisha Mistry | Bob Nightingale | Bridget Garrood | Caroline Marlow | Caroline Roddis | Caroline Sorbier | Carolyn Pepper | Catherine Dixon | Chris Claxton-Shirley | Christina Blacklaws | Ciaran Fenton | Coral Hill | CV Library | Daniel Matchett | Daphne Perry | David Gilroy | David Yeoward | Douglas McPherson | Duncan Wood | Elijah Granet | Elizabeth Rimmer | Eloise Skinner | Emily Miller | Emily Powell | Emma Maule | Floyd Porter | Gary Richards | Gary Rycroft | Graham Murphy | Greg Treverton-Jones | Gustavo Bussmann | Hayley Stewart | Hilda-Georgina Kwafo-Akoto | Ignasi Guardans | James Castro Edwards | Jane Cassell | Jayne Willetts | Jeremy Miles | Jerry Garvey | Jessie Barwick | Joe Egan | Jonathan Andrews | Jonathan Fisher | Jonathan Smithers | Jonathon Bray | Julian Hall | Julie Ashdown | Julie Nicholds | June Venters | Justin Rourke | Karen Jackson | Kate Adam | Katherine Cousins | Kaweh Beheshtizadeh | Kayleigh Leonie | Keiley Ann Broadhead | Kerrie Fuller | Kevin Hood | Kevin Poulter | Larry Cattle | Laura Bee | Laura Devine | Laura Uberoi | Law Gazette Jobs | Leah Glover and Julie Ashdown | Leanne Yendell | Lee Moore | LHS Solicitors | Linden Thomas | Lucy Parker | Maria Shahid | Marjorie Creek | Mark Carver | Mark Leiser | Markus Coleman | Martin Barnes | Mary Doyle | Matt O'Brien | Matt Oliver | Matthew Still | Max Rossiter | Melinda Giles | Melissa Hardee | Michael Henson-Webb | Neil Ford | Nick Denys | Nick O'Neill | Nick Podd | Nigel West | Nikki Alderson | Oz Alashe | Paris Theodorou | Patrick Wolfe | Paul Bennett | Paul Rogerson | Paul Wilson | Pearl Moses | Penny Owston | Peter Wright | Philippa Southwell | Preetha Gopalan | Prof Sylvie Delacroix | Rachel Brushfield | Rafie Faruq | Ranjit Uppal | Ravi Naik | Rebecca Atkinson | Remy Mohamed | Richard Collier | Richard Coulthard | Richard Heinrich | Richard Mabey | Richard Messingham | Richard Miller | Richard Roberts | Rita Gupta | Rob Cope | Robert Bourns | Robert Forman | Robin Charrot | Rosa Coleman | Rosy Rourke | Sachin Nair | Saida Bello | Sally Azarmi | Sally Woolston | Sam De Silva | Sara Chandler | Sarah Austin | Sarah Crowe | Sarah Henchoz | Sarah Smith | Shereen Semnani | Shirin Marker | Siddique Patel | Simon Day | Sofia Olhede | Sonia Aman | Sophia Adams Bhatti | Sophie O'Neill-Hanson | Steve Deutsch | Steve Thompson | Stuart Poole-Robb | Sue James | Susa | Susan Acland-Hood | Susan Kench | Suzanne Gallagher | The Law Society Digital and Brand team | Tom Chapman | Tom Ellen | Tony Roe | Tracey Calvert | Umar Kankiya | Vanessa Friend | Vicki Butler | Vidisha Joshi | William Li | William McSweeney | Zoë Paton-Crockett