I. Strategic Litigation as a Form of Legal Mobilization

The term “strategic litigation” lacks a universally accepted definition in the literature;Footnote ² however, most studies agree that it involves a purposeful approach to litigation aimed at achieving structural change beyond individual benefit. In contrast to “common litigation,” which focuses on defending individual interests, strategic litigation is intentionally pursued to achieve outcomes with broader societal implications. This approach leverages courts to drive reform at a structural level and challenges the distribution of legal, political, social, or economic goods in society.Footnote ³ Although common litigation may incidentally result in broader impacts, such outcomes are unplanned and unintended.

Moreover, strategic litigation is sometimes used interchangeably with “public interest litigation.”Footnote ⁴ This refers to “civil rights advocacy seeking to restructure public agencies” or public policies.Footnote ⁵ In contrast to traditional litigation, which aims to settle “disputes between private parties about private rights,”Footnote ⁶ public interest litigation seeks to promote public welfare. The term “strategic litigation” is also sometimes used interchangeably with “test case litigation,” but their objectives may differ. Test case litigation primarily aims to test arguments or legal principles, establishing precedents for the future. In contrast, strategic litigation not only seeks to establish precedents but also aims to influence the political agenda through litigation.Footnote ⁷

The concept of “strategic litigation” also shares similarities with “legal mobilization,” which involves “the use of law in an explicit, self-conscious way through the invocation of a formal institutional mechanism.”Footnote ⁸ In one of the earlier works on legal mobilization, Zemans states that legal mobilization is intrinsically linked to the assertion of rights:

The scholarship on legal mobilization refers to using the law to build, energize, or shape social movements, as well as political agendas.Footnote ¹⁰ This scholarship corrected the early social movement literature’s lack of emphasis on using the law as a means of mobilization.Footnote ¹¹ In that sense, the scholarship on legal mobilization has broadened the social movement field by looking at how actors shape a social movement through the use of law.Footnote ¹² It also examines how actors interact with the law when there is no alternative way to perform their rightsFootnote ¹³ on an everyday basis—through the attainment of legal consciousness over a period of time.Footnote ¹⁴ However, this consciousness can alter after the experience of litigation.Footnote ¹⁵ Analyzing how activists mobilized around disability, Lisa Vanhala defines the scope of the term as the following:

The term “legal mobilization” connotes a wider range of activities to mobilize the law, compared with “strategic litigation,” which is focused on litigation alone.

Drawing upon this scholarship, in this Article, we use the term “strategic litigation” to examine how various actors use litigation to pursue objectives beyond individual cases,Footnote ¹⁷ treating it as one of the forms of legal mobilization. We define “strategic litigation” as “the intentional use of litigation to effect legal or policy change beyond individual cases.” To explore broader uses of the law, including alternative legal avenues for seeking justice, we use the term “legal mobilization.” In the context of automated decision-making systems in migration and asylum, available legal routes include seeking information from public authorities through FOI laws, seeking grievances against violations of the data protection law through DPAs and providing witness evidence in court cases.

Overall, the scholarship analyzing the use of litigation for broader objectives has evolved in different strands. One strand of this scholarship focuses solely on the success of strategic litigation. Several studies have explored the effectiveness of litigation in terms of changing the law, using the law in a new way, or altering the implementation of existing laws. However, as Helen Duffy points out, the success of strategic litigation cannot always be understood by looking at the outcome of a court case alone but by the wider impacts that particular litigation has given rise to.Footnote ¹⁸ For example, looking at the impact of judicial activism on socioeconomic rights in Latin America, Rodriguez-Garavito finds that judicial decisions can lead to both direct and indirect material and symbolic impacts.Footnote ¹⁹ On the one hand, the direct material impact refers to the establishment of a legal precedent and changes in the implementation of the law. On the other hand, the indirect symbolic impact involves transforming public opinion.

This second strand of scholarship conceptualizes success more broadly in terms of changing political debates and public opinions about the issue at hand. This scholarship also takes a different epistemological approach to studying legal mobilization. Instead of taking only a causal approach, such as what actions lead to what outcomes, they also incorporate a constructionist perspective to legal mobilization and look at how actors frame their cause and how that framing may change over time according to the “legal opportunity structures”Footnote ²⁰ as well as the social and political contexts they are located in,Footnote ²¹ and the role of mobilizing actors.Footnote ²² Analyzing the framing around a cause matters not only to understand the success of litigation but also how it changes a social movement. For example, Lisa Vanhala’s scholarship shows that the act of mobilizing rights can have both intended and unintended consequences for social movements themselves.Footnote ²³ Her book on disability rights shows that strategic litigation may change not only the political discourse but also how the social movement around that particular topic itself is framed. This strand of scholarship tends to take a longitudinal approach to analyze the impact of legal mobilization over time, not just the short-term immediate impact of litigation.

The scholarship has also examined various topics of study, including mobilization around migration and migrant rights in the context of Europe.Footnote ²⁴ One important area of study is identifying the actors involved in this field. For example, Passalacqua analyzed 291 rulings of the CJEU relating to migration to map out the actors that defend migrant rights at the European level.Footnote ²⁵ Pijnenburg and van der Pas have mapped out existing strategic litigation cases against human rights violations that arise from migration controls in Europe.Footnote ²⁶ This strand of literature also explores why some CSOs use EU law more frequently than others and what factors lead to this mobilization.Footnote ²⁷ Another area of study is how litigation occurs in different levels of judicial fora and its impacts. The literature has explored how CSOs mobilize EU, international, and domestic legislation on discrimination to promote migrants’ rights.Footnote ²⁸ Specifically, this literature analyses how actors use legislation at the national level,Footnote ²⁹ before the CJEU,Footnote ³⁰ and compares the practice of intervention before the CJEU with its counterpart in Strasbourg, the European Court of Human Rights.Footnote ³¹ However, the scholarship also points out that immediate successes in litigation are not the end of the story. As Southerden has pointed out, executive reactions can subvert the outcomes of even successful litigation.Footnote ³² This underscores the need for a comprehensive and long-term analysis of the entire mobilization process beyond the immediate success of a particular case. Notably, none of this scholarship in migration and asylum fields has examined legal mobilization against the uses of automated systems.

With regards to strategic litigation against the use of algorithms or their unfair outcomes, the scholarship explores the use of litigation against algorithmic management in employment, including platform work,Footnote ³³ and the use of strategic litigation in internet and data protection laws.Footnote ³⁴ Additionally, there are opinion piecesFootnote ³⁵ and reportsFootnote ³⁶ that examine what the EU law offers litigators and what specific strategies are available for litigators to challenge the use of automated systems in the public sector. Anne Kaun further explores litigation against a municipality’s use of an automated system for welfare provision in Sweden and analyzes the negotiations and meaning-making around the definition of the system in use during contestation processes.Footnote ³⁷ Her analysis shows that litigation also involves re-imagining what these technologies are and what they are capable of. However, none of this scholarship examines litigation or other forms of legal mobilization against the use of algorithms and their unfair outcomes in migration and asylum contexts.

Therefore, in this Article, we aim to fill this gap by investigating the relatively unexplored area of legal mobilization in challenging automated systems within migration and asylum contexts. We focus specifically on the actors involved and the structural opportunities and barriers they face. Despite the increasing prevalence of these technologies and mounting concerns about their impact on migrants and asylum seekers,Footnote ³⁸ there remains a significant lack of studies examining legal mobilization around them. As we explain below, a number of CSOs have been involved in addressing these issues, yet there has been no analysis of their experiences with judicial and non-judicial avenues. Inspired by the constructionist strand of scholarship, we start our analysis by investigating the context in which CSOs operate. In the following section, we focus on the affordances of EU law and the barriers to strategic litigation.

II. The Role of EU Law in Contesting Automated Systems

Contesting automated systems is challenging. As scholars have long observed, individuals and CSOs encounter significant obstacles when contesting automated systems, which in turn hamper the right to an effective remedy and due process rights.Footnote ³⁹ Despite these challenges, EU data protection law offers crucial legal tools to challenge automated systems. The GDPR aims to protect the right to data protection, enshrined in Article 8 of the EU Charter of Fundamental Rights (CFR), by setting rights for data subjects and obligations for data controllers and processors. When considering automated systems, the GDPR in Article 22 importantly sets a prohibition of solely automated decisions, subject to exceptions, and conditions for their uses when allowed. Next to the prohibition of solely automated decisions, the Articles 12, 13, 14, and 15 of the GDPR grant data subjects individual rights, in particular transparency and access rights, to retain control over their personal data and be informed about data processing.

Additionally, the GDPR also provides remedies for violations of the Regulation. In case of a potential data protection infringement, individuals have access to judicial remedies, under Article 79 of the GDPR, or can choose to lodge a complaint with independent non-judicial authorities under Article 77 of the GDPR: the Data Protection Authority (DPA). The rationale behind creating extra-judicial remedies in the GDPR is to provide more easily accessible, quicker and less costly justice routes for data subjects, thus fostering an effective enforcement of data protection rights. Finally, the GDPR also enables CSOs to play an important bottom-up governance role in enforcing data protection rights.Footnote ⁴⁰ To achieve effective protection of the right to data protection, Article 80 of GDPR allows CSOs acting in the public interest to make complaints and represent data subjects in front of DPAs or courts.Footnote ⁴¹ As pointed out in the literature, by including CSOs in the enforcement structure of data protection, the GDPR aims to foster a process of collective emancipation,Footnote ⁴² thus creating an “architecture of empowerment.”Footnote ⁴³

Taken together, the GDPR provides an essential toolkit for strategic litigants challenging automated systems, granting standing and grounds for CSOs to contest technological practices, seek transparency, and access remedies to protect migrants’ and asylum seekers’ digital rights. At least, in theory. In practice, however, empirical research has identified critical GDPR enforcement issues, including inconsistencies in national practices and discrepancies in handling complaints by DPAs.Footnote ⁴⁴ The recent and novel wave of litigation in this field is an occasion for scholars to test empirically whether EU data protection truly empowers strategic litigants.Footnote ⁴⁵ The aim of this Article is precisely to analyze and assess the GDPR’s legal potential in light of current litigation practices by CSOs in the understudied field of automated systems in migration and asylum. By exploring the role of strategic litigants in addressing systemic issues faced by migrants and asylum seekers, our Article seeks to contribute to a broader understanding of how legal mobilization can drive changes in law, policy, and the implementation of automated systems, and the role of EU law therein.

III. Does EU Law Empower Strategic Litigants? Our Approach and Methods

The potential emancipatory function of the GDPR is the core focus of our investigation. Although legal scholars have criticized the enforcement of the GDPR, both de jure and de facto,Footnote ⁴⁶ we question whether EU data protection law empowers strategic litigants in the overlooked field of migration and asylum. Methodologically, we approach this question from a socio-legal perspective. This includes analyzing the tools offered by EU law for strategic litigants and evaluating how strategic litigants utilize EU law in practice. Drawing on legal mobilization literature, we focus on the objectives of strategic litigants, the obstacles they encounter, the venues and legal fora they engage with, and the role of EU law in these processes.

For our empirical study, we conducted a case study analysis and semi-structured interviews with CSOs involved in selected cases, as well as their external partners, an academic and a journalist. To select our cases, we used the Tech Litigation Database, GDPRHub, and the websites of civil society organizations across Europe. We also utilized data from the AFAR Project’s comprehensive mapping studyFootnote ⁴⁷ to gather instances of FOI requests by CSOs and witness statements. Based on three specific criteria: (1) the subject of litigation, specifically automated systems; (2) the actors involved, specifically those pursuing a public interest; and (3) the geographical scope, specifically systems used by EU Member States authorities,Footnote ⁴⁸ we have identified the following instances of contention (Table 1).

Table 1. List of selected technologies contested in migration and asylum contexts

In many studies on strategic litigation, researchers examine how litigants present their legal arguments. However, these arguments may only offer a partial view of the strategic litigants’ goals, especially when the litigation is part of a broader campaign, and the litigants take a long-term perspective to make an impact.Footnote ⁴⁹ Therefore, following a thorough analysis of these cases, we conducted in-depth interviews with selected CSOs and or their partners.Footnote ⁵⁰ Specifically, in May 2024, we interviewed the current Senior Lawyer and Legal Officer from Privacy International (PI) regarding their contestation against the use of mobile phone data and electronic monitoring in the UK. We also interviewed a collaborator of Homo Digitalis, Dr. Niovi Vavoula, regarding their contestation against the use of HYPERION and KENTAYROS systems designed to surveil asylum seekers in the camps in Greek islands. Finally, we interviewed Anna Biselli. Together with Gesellschaft für Freiheitsrechte (GFF), Biselli conducted a study regarding their contestation of mobile phone data extraction in asylum procedures in Germany. These interviews complemented our analysis in understanding the intended objectives of choosing specific cases, the methods of contestation, and the obstacles faced in each case.

I. Seeking Transparency

In 2021, the Greek Ministry of Immigration and Asylum unveiled in their annual action plan the installation of two technology systems in reception and accommodation centers for asylum seekers. Named after mythological Greek figures, Hyperion and Kentauros Systems have the potential to turn reception facilities into a panopticon of digital surveillance. By processing biometric data of asylum seekers, tracking and monitoring their movements with drones and cameras, and analyzing their behavior with Artificial Intelligence, these systems raise significant risks for the privacy and other fundamental rights of asylum seekers as well as of NGO members visiting the relevant centers and their employees. Despite the invasive nature of such projects, very little information was shared with the public. This is where the fight of Homo Digitalis, a Greek organization focused on the protection of digital rights, started. To work on their strategic litigation, they first needed more information about how the Greek Ministry of Immigration and Asylum would use them. In this section, we explore CSOs’ efforts to overcome the barrier of seeking transparency, specific difficulties in the context of migration and asylum, and the mobilization of GDPR tools to obtain information about the technologies of concern.

When CSOs decide to work on contesting the use of a specific technology, the first obstacle they face is the lack of adequate technological information and its potential implications for data subjects. As automated systems are often products developed by private companies, access to information can be denied based on their commercial interest. Moreover, in the field of migration and asylum, national security interests are often presented as justification for withholding information. Without understanding the system’s functionality, purpose, and operation, litigants cannot formulate a robust contestation strategy. Lack of transparency can also arise from the inherent opacity of algorithms, as highlighted by scholars like Pasquale and Burrell.Footnote ⁵¹ One of our interviewees shared the following frustration with us when they plan their strategies:

Seeking transparency about the systems is the first and probably most important step for strategic litigants. For this purpose, EU data protection law can provide useful legal tools to obtain information about automated systems.

Transparency is a fundamental principle of EU data protection law and administrative decision-making. In the GDPR, the transparency principle epitomized in Article 5(1)(a) is developed into concrete individual rights for data subjects and duties for controllers throughout the regulation. Transparency of data processing takes the form of a duty to inform data subjects in Articles 12, 13, and 14, a right to access personal data in Article 15 and a right to receive meaningful explanations of automated decision-making in Article 22. The overarching aim of these provisions is to enable data subjects to have control over data processing and exercise their substantive rights.

Transparency rules in the GDPR govern information flows between the data subject and the controller. In this relationship, under Article 13 GDPR, data subjects must be informed of the purpose of the processing, the storage period and legal basis, the possibility of data transfer, as well as their rights as data subjects and information about the controller and the data protection officer. Such information must be given in a concise, transparent and easily accessible way per Article 12 GDPR. Additionally, data subjects under Articles 14 and 15 GDPR have the right to request information about their personal data and rights. Despite the individual dimension of transparency in the GDPR, access rights can be mobilized to achieve collective and social justice aims.Footnote ⁵³ As shown by Mahieu and Ausloos, access rights are a crucial legal tool for investigating data infrastructures, working at best “when used collectively and is aimed at empowerment and transparency at a societal level.”Footnote ⁵⁴ Therefore, in theory, transparency rights represent an important tool for strategic litigants. By knowing what goes inside and what gets out, the black box of automated systems can be opened, and errors can be identified.

Transparency rights were crucial, for example, for Privacy International (PI) when they were investigating the details of electronic monitoring, specifically of “GPS ankle tags,” that the UK Home Office introduced for immigration bail in 2021. Seeking transparency about the details of this technology, PI collaborated with migrants and their legal representatives to obtain “Data Subject Requests” (DSR). Our interview with them revealed that DSRs can be an important tool for understanding the details of a technology, including the frequency of data collection and the potential inaccuracies:

However, access rights are contingent on two conditions: The presence of a data subject whose data is being processed and the willingness to submit a data access request. In practical terms, it can be extremely challenging for migrants and asylum seekers to exercise these rights. Although recognized as “vulnerable” data subjects by the European Data Protection Supervisor (EDPS), migrants, in general, face rigid legal frameworks that often work against their rights.Footnote ⁵⁶ For many asylum seekers and refugees, data protection rights may not be a priority, due to a lack of information about available remedies and their immediate struggles in their daily lives. Asylum seekers awaiting the outcome of their application to seek protection may be afraid of speaking out against authorities. Scholars argue that this particular vulnerability has enabled state authorities to use migration contexts as a “testing ground”Footnote ⁵⁷ by introducing various technologies in a trend often referred to as “techno solutionism”Footnote ⁵⁸ in migration management, which may compromise fundamental rights standards and exacerbate the imbalance.

Migrants, including asylum seekers, may be afraid even to speak with journalists anonymously due to their fear of the authorities. For instance, journalist and computer scientist Anna Biselli collaborated with Gesellschaft für Freiheitsrechte (GFF) to uncover the German Federal Office for Migration and Refugee (BAMF)’s use of automated tools during the asylum procedure. In 2017, BAMF introduced the use of mobile phone data extraction in asylum procedures, along with other tools. Anna Biselli attempted to gather information from asylum seekers about how data extraction was working in practice, but she found it extremely difficult:

This situation makes seeking transparency about automated tools used in migration and asylum contexts particularly challenging. In other areas, it can be easier for CSOs to obtain information about the technology in use through DSRs. According to our interviewee from PI, DSRs can be a hugely helpful tool to obtain information about the technology in use:

It is, therefore, much harder for migrants to exercise this right due to their particularly vulnerable situation vis-a-vis the authorities.

Additionally, access rights are also limited as they do not grant technical information about the system itself. To obtain greater insights into automated systems, CSOs mobilize another tool offered by the GDPR: The Data Protection Impact Assessment (DPIA). Article 35 of the GDPR mandates controllers to conduct a DPIA whenever data processing is in operation, especially when those involving new technologies pose a high risk to individuals’ rights and freedoms. Specific examples are provided in Article 35(3), such as extensive automated evaluations, large-scale processing of special categories of data, and systematic monitoring of public areas. In migration and asylum, where profiling or automated decision-making and processing of sensitive data of vulnerable data subjects are prevalent, DPIAs must theoretically be conducted whenever new technologies are employed.Footnote ⁶¹

In line with GDPR’s primary objective of safeguarding the right to personal data protection, DPIAs aim to ensure accountability, aiding controllers in complying and demonstrating that appropriate compliance measures are in place.Footnote ⁶² The GDPR specifies the minimum features of a DPIA in Article 35(7), including a description of the processing operations and purposes, an assessment of the necessity and proportionality of the processing, an evaluation of risks to data subjects’ rights and freedoms, and measures to address these risks and demonstrate compliance. Despite the importance of DPIA, the GDPR does not explicitly require their publication. In the Guidelines on the DPIA by Article 29 Working Party, now European Data Protection Supervisor,Footnote ⁶³ their publication is, however, encouraged. As a good practice, controllers should publish DPIAs, either fully or in summary, to promote transparency and accountability. DPIAs’ publication is especially recommended when a public authority carries them out.Footnote ⁶⁴

However, in practice, especially in the migration context, it is difficult for CSOs and individuals to access DPIAs. Authorities do not always publish DPIAs publicly, and if they do, they may release only heavily redacted versions. As a result, it is challenging to review them or verify whether agencies have carried them out. One method of obtaining DPIAs is by submitting FOI requests.

FOI requests allow citizens to obtain access to public institution documents. They are a direct implementation of the right of access to public information, a human right recognized in international law under Article 19 UDHR and Article 10 ECHR, EU law in Article 42 CFR, Article 15 TFEU and in the Regulation 1049/2001 and by EU Member States. The advantage of FOI requests is that citizens can ask for any document held by public authorities without the need to adduce any justification to substantiate their request. For these reasons, FOI is a commonly used method by journalists and CSOs to promote transparency and support their investigations. Unlike access rights under data protection law, the right of access to public information allows individuals to seek transparency about the technical components of automated systems, such as source codes, contracts with the providers, training data or user manuals.

Although, in theory, FOI requests can be refused only exceptionally, in reality, not all requests are successful. Our interviewees shared that authorities reject providing DPIAs through FOI requests, release heavily redacted versions, ignore them, or respond only after a long delay. If requests are rejected, authorities may cite reasons such as national security, public interest, or commercial interests.Footnote ⁶⁵ For instance, Lucie Audibert from PI highlighted the challenges of receiving a meaningful response to their FOI requests to the UK Home Office regarding their use of technology in the context of migration:

Challenging such rejections requires additional resources, namely organizational time. For example, Anna Biselli informed us that BAMF rejected her request for DPIAs after a long wait, and they were unable to challenge this rejection due to time constraints: “What I really wanted to have but didn’t get is data protection impact assessments because that is something I would be really interested in, and we requested it, and they rejected it. And then there were some organizational problems, and we didn’t manage to file the claim in time.” Receiving DPIAs in this context not only demands resources but also requires staff members on long-term contracts to handle specific cases over a prolonged period and to accommodate the fluctuating response schedules of authorities.

All these obstacles, including the time to wait for a response and then to challenge a rejection, may influence CSOs’ decisions to proceed with their strategic litigation. For instance, one of our interviewees deliberated on whether to continue with a case, stating:

In other cases, CSOs’ FOI requests may simply be ignored. For example, when Homo Digitalis sought information about the Greek Ministry of Immigration and Asylum’s use of Hyperion and Kentavros Systems, their request for the DPIAs was disregarded:

This situation later prompted Homo Digitalis to approach the Hellenic DPA,Footnote ⁶⁹ another method of contestation which we will explore in Section III below. For now, let us examine how CSOs seek to obtain expert knowledge about the details of these technologies and how they can challenge them.

II. Gathering Expertise

Contesting an automated tool in migration and asylum also requires expert knowledge to assess the capabilities and limitations of the specific technology. For example, in 2017, an amendment to the Asylum Act in Germany allowed the BAMF to analyze asylum seekers’ mobile phone data to establish their identity and nationality.Footnote ⁷⁰ This process involves scrutinizing data such as browsing history, addresses, and geodata stored on the mobile phone. Once the phone is unlocked to enable the so-called ‘read-out’, the device is linked to a computer, which then analyses the data and generates a report containing statistical information and country indicators.Footnote ⁷¹ The results of this automated analysis can then be used, with certain safeguards, to determine asylum seekers’ country of origin. However, the exact method by which the technology converts the extensive data stored in phones into statistical indicators of nationality is not clear. What weight is given to a browning history or location data from photos and apps? What factors affect the final statistical percentage? What logic and criteria are used to produce an automated assessment of an individual’s identity? This is where the fight of GFF, a Berlin-based non-profit organization focused on defending fundamental and human rights by legal means, started. In this section, we explore how CSOs overcome the barrier of obtaining expert knowledge about the details of the technologies they are concerned with and how they challenge these technologies by building coalitions.

When questions arise about the accuracy and technical capabilities of automated systems, there are two ways to answer them. One is to receive an explanation of the system’s functionalities from its developers or deployers. The second is to have the expertise and access to technical information to review and interpret the system independently. The GDPR attempts to follow the first option by granting a higher level of transparency for data subjects when a decision is solely automated.Footnote ⁷² When subject to automated decision-making, data subjects have the right to obtain “meaningful information about the logic involved”, or “right to an explanation”,Footnote ⁷³ as well as know the significance and the envisaged consequences of such processing under Articles 13(2)(f), Article 14(2)(g) and Article 15(1)(g) GDPR. Although the scope of this right to an explanation remains unclear, as the Court of Justice has still not clarified important aspects of these provisions, the legal requirement of “meaningful information about the logic involved” can potentially help litigants in interpreting the system they aim to challenge.

In practice, our research shows that contesting the use of a technology based on the right to an explanation has not been effective. Authorities are reluctant to consider their decision-making systems “solely automated,” claiming that a human caseworker makes the final decision. They may also refrain from acknowledging the use of an automated system when challenged by CSOs. For example, in the case of contestation against electronic monitoring, when PI attempted to challenge the use of an automated tool that recommends whether a migrant should be electronically monitored, the UK Home Office denied its use:

In the lack of effective legal tools to understand how automated systems work, CSOs have resorted to coalition building as a means of gathering expert knowledge. Through coalition building, CSOs join forces, pooling their resources, time and technical expertise to strategize ways to advance their cause. This collaboration often involves organizations, academic researchers, journalists, and computer scientists who share a common interest in challenging the use of automated systems.

One aspect of coalition building involves sharing available information to combine resources effectively. For example, organizations may deliberately make their FOI requests on open platforms, such as whatdotheyknow.com in the UK and FragDenStaat.de in Germany, enabling others to track and access the responses from authorities.Footnote ⁷⁵ They may also maintain close communication with each other to share the information they uncover. For example, in their contestation against electronic monitoring, PI used the responses to FOI requests made by other organizations, such as the Bail for Immigration Detainees (BID) and the Public Law Project (PLP), as a basis for their subsequent claim to the UK DPA, Information Commissioner’s Office (ICO).

Another aspect of coalition building involves seeking technological expertise to understand the possible limitations of the technologies in use. Migrant or digital rights experts may lack detailed technical knowledge about how specific systems operate. If they can afford it, CSOs may either have in-house technical staff members or collaborate with external partners. For example, PI, a relatively large organization focused on new technologies, has its own team of technologists. The collaboration between the technological and the legal teams was crucial for PI to provide their third-party intervention for the UK Home Office’s use of mobile phone data extraction and their witness statement for electronic monitoring:

Similarly, in their pre-litigation research, GFF collaborated with computer scientist and journalist Anna Biselli, who had already submitted many FOI requests to BAMF, to uncover the technical limitations of this practice. This collaboration helped both parties to understand the details of this practice and eventually challenge it at the DPA and in court. Biselli shared, “I have exchanged information with GFF, and so it was quite logical to do it together because I had the expertise from all those FOI requests, and from the IT perspective, and the GFF had the legal perspective, which I don’t have because I’m not a lawyer.” ^{Footnote 77}

Finally, another aspect of coalition building involves combining different types of expertise for research, strategy, and claim-making. For example, in their opposition to the Hyperion and Kentauros systems, Homo Digitalis worked with European Digital Rights (EDRi) to gather information about the technical details, as well as envisaged data processing activities.Footnote ⁷⁸ When their requests went unanswered, Homo Digitalis collaborated with other Greek organizations, namely the Hellenic League for Human Rights and HIAS Greece, as well as Dr Niovi Vavoula, a lecturer at Queen Mary University of London at the time, and together they decided to file a complaint with the Hellenic DPA to investigate the deployment of these systems.Footnote ⁷⁹ The academic who participated in this collaboration provided a legal analysis of the practice in question. Given Dr Vavoula’s expertise in the intersection of migration and technology, she helped the CSOs draft their complaint to the DPA by highlighting the missing points from a data protection perspective:

These collaborations are indicative of a common challenge in this field: the significant difficulty in comprehending the workings of automated systems and their impact on data subjects, and the substantial resources needed for this task. It was only through these collaborations that CSOs were able to overcome these obstacles and move forward to the next stage, which involves obtaining remedies.

III. Obtaining Remedies

After seeking transparency and gathering expert knowledge, the next step is choosing and obtaining remedies. In this section, we explore how CSOs attempt to obtain remedies by choosing the appropriate legal forum. We show that they base this decision on the existing “legal opportunity structures,” that is, the presence or absence of legal institutions that they can turn to, as well as the potential to collaborate with a litigant.

As a general principle of EU law and a fundamental right under Article 47 CFR, individuals have the right to an effective remedy before a Court when their rights are violated. Member States have a duty to provide remedies that are sufficient to ensure effective legal protection of individuals according to Article 19(1) TFEU. Although, in theory, a remedy may be available under the law, several barriers may render a remedy ineffective in practice. Before the GDPR was proposed, the European Commission’s impact assessment underlined that litigation obstacles, such as cost of court proceedings, delays and lack of awareness, were particularly affecting the area of data protection.Footnote ⁸¹ The Fundamental Rights Agency, in their opinion on the legislative proposal, also highlighted that the reluctance of data subjects to access court seemed to be linked to formalities and strict procedural requirements.Footnote ⁸² The proposed GDPR was then the right occasion to revert this trend. Following the experience with national equality bodies in the field of EU non-discrimination, the GDPR introduces a new form of redress mechanism: The DPA as a non-judicial dispute mechanism. Under the GDPR, data subjects can bring a complaint before a Court in Article 79 GDPR or to a DPA in Article 77 GDPR, which is an optional dispute mechanism in addition to traditional remedies available under EU or national law. Additionally, the GDPR broadens legal standing rules for CSOs, allowing public interest actions to be brought before DPAs in Article 80 GDPR. Originally conceived as “the preferred point of access to data protection breaches,”Footnote ⁸³ DPAs would have decreased costs, delays and formalities that were hampering access to justice for data subjects and CSOs acting in the public interest.

In four of the five cases we examined, CSOs resorted to DPAs. Homo Digitalis contested against Hyperion and Kentauros Systems, as well as the AI-enabled social media monitoring tool to profile individuals and predict migration flows towards Greece.Footnote ⁸⁴ GFF contested against mobile phone data extraction during the asylum procedure, and Privacy International contested against electronic monitoring by filing a complaint with their relevant DPAs in the countries where they operated. GFF and PI also went to Court, while Homo Digitalis kept their complaint with the DPA level.

Our findings show that CSOs resort to DPAs for two main reasons. First, when pursuing legal action in court is not feasible and when the data protection issues are considered serious enough to warrant a DPA investigation. For example, when Homo Digitalis did not receive responses to their FOI requests regarding their questions on data protection in the case of surveillance systems used in reception centers, they chose to file a complaint with the Hellenic DPA, in collaboration with the Hellenic League for Human Rights, HIAS Greece, and Dr Niovi Vavoula, as it was the only available legal recourse for them. The technologies in question, Hyperion and Kentauros Systems, which are designed to surveil asylum seekers in the camps in Greek islands, posed significant challenges in finding a litigant to bring to court due to asylum seekers being essentially detained within these centers and facing imminent expulsion upon failed asylum claims.Footnote ⁸⁵ Nevertheless, as they strongly believed in their claim, “because the data protection breaches were so glaring that it would be very difficult for a DPA to ignore,”Footnote ⁸⁶ they decided to file a complaint with the Hellenic DPA. In this case, the Hellenic DPA decided to investigate the claim promptly and ultimately imposed an administrative fine of €175,000 on the Ministry of Migration and Asylum due to breaches related to a lack of cooperation as the data controller, incomplete DPIAs and other shortcomings with compliance with GDPR.Footnote ⁸⁷ Similarly, Homo Digitalis submitted another request to the Hellenic DPA to investigate the use of a social media monitoring system by the Coast Guard. This request was made in collaboration with the Hellenic League for Human Rights, HIAS Greece, Privacy International, and the researcher Phoebus Simeonidis, and the Hellenic DPA recently reported to them that it will soon conclude its assessment.Footnote ⁸⁸

In a similar vein, when PI wanted to challenge electronic monitoring, they decided to file a complaint with the UK DPA, the Information Commissioner’s Office (ICO). They took this course of action because they believed that challenging the practice through litigation was impractical, and they also held firm in their belief that the Home Office’s GPS tagging practice violated the UK GDPR and intruded upon individuals’ privacy rights. PI also provided witness testimony in support of claimants in two cases, ADL & others v SSHD, and Nelson v SSHD, for judicial review,Footnote ⁸⁹ but found it impossible to systematically contest the practice through litigation. Our participant explained that when they began their technical research on the GPS tags, several individual judicial review cases were filed, but none of these cases progressed to court as the Home Office promptly removed the tag upon case filing.Footnote ⁹⁰ Due to this evasive maneuver, PI chose to lodge a complaint with the ICO to escalate the matter to a quasi-judicial body.Footnote ⁹¹ Subsequently, the submission to the ICO was successful, resulting in the issuance of an Enforcement Notice and a formal warning to the Home Office on March 1, 2024, citing widespread violations of data protection law in its GPS tagging of migrants.Footnote ⁹²

Second, CSOs may choose both to file a complaint with a DPA and take legal action in court as part of their strategic litigation. For example, the organization GFF challenged the use of mobile phone data extraction by initiating legal proceedings in the Administrative Courts of Hanover, Berlin, and Stuttgart with three different litigants. In June 2021, the Berlin Administrative Court ruled in favor of GFF’s complaint and allowed a direct appeal to the Federal Administrative Court. As a result, GFF suspended the other court cases. This was followed by the German Federal Administrative Court (BVerwG) issuing a landmark ruling on February 16, 2023 stating that the Federal Office for Migration and Refugees (BAMF)’s practice of regularly analyzing mobile phones was unlawful (BVerwG 1 C 19.21).Footnote ⁹³ Additionally, several months before the Berlin Administrative Court’s ruling, in February 2021, GFF lodged a complaint with the German DPA, Federal Commissioner for Data Protection, thus adding another dimension to their strategic litigation process.

Nonetheless, contrary to the original expectations under GDPR, our empirical research reveals that filing a complaint with DPAs also comes with challenges. The main obstacle reported by our participants is that DPAs are often under-resourced, which may lead to delays in investigating a complaint, or they may even choose not to investigate it at all. For example, in the complaint filed with the Hellenic DPA regarding Hyperion and Kentauros Systems, even though the Hellenic DPA made their decision to investigate the complaint rather promptly, their final decision came only after more than two years of the claim that was submitted, which prompted one of our participants to reflect that “it’s not just a lack of resources that even if the resources are allocated, it still takes a lot of time”.Footnote ⁹⁴ This finding broadly aligns with existing studies on DPAs in other fields.Footnote ⁹⁵ As a result, CSOs need to carefully consider whether to file a complaint with a DPA, as it requires an investment of time without a guarantee of an investigation. Nevertheless, in cases where contesting through litigation is not viable, DPAs can still play a vital role in curbing the use of automated tools in migration and asylum.