This article is more than 1 year old

Meta faces lawsuit to stop 'surveillance advertising'

Case claims collecting personal data breaches UK GDPR, but implications could be wider

A lawsuit filed in the High Court of England and Wales has demanded that Meta's Facebook social media platform stops harvesting personal data for the purposes of advertising and marketing.

The suit was filed by tech and human rights activist Tanya O'Carroll, who said this amounts to "surveillance advertising" with her legal team claiming: "Meta repeatedly refused to respect ... O'Carroll's absolute right to object to being surveilled and profiled" when she tried to opt out of having her personal data being processed by Meta for the purposes of marketing.

At the core of O'Carroll's complaint are allegations that Meta is breaking data protection law – the UK GDPR – by doing so, with her legal reps at AWO saying that internet users have had the "right to object" since the GDPR was adopted in the UK in 2018 (see below). O'Carroll is a senior fellow at Foxglove, the same legal campaign group protesting the government's extraction of UK hospital datasets to the systems of US tech company Palantir without the patients' consent.

The particulars of claim [PDF] also detail what the suit characterizes as a "significant asymmetry of information between the Claimant and Meta" regarding the "types of personal data which Meta collects" and "the processing activities which Meta undertakes on those personal data for the purpose of selecting and delivering Direct Marketing Material to users of Facebook."

Solicitor Ravi Naik, legal director at data rights agency AWO, said: "Meta is straining to concoct legal arguments to deny our client even has this right. But Tanya's claim is straightforward; it will hopefully breathe life back into the rights we are all guaranteed under the GDPR."

The news comes weeks after a Washington judge fined Meta $24.6 million for intentionally breaking [PDF] the state's campaign finance transparency laws 822 times.


The UK still has the GDPR implemented via the Data Protection Act (DPA) of 2018. It first incorporated the law when the UK was a member state, and went on to amend it on January 1, 2021, to be read together with the new "UK GDPR" rather than the EU GDPR.

The UK GDPR is almost word for word the same text, and that is purposeful, because any significant divergence from the EU GDPR could affect data sharing adequacy rulings post-Brexit.

The country's proposed replacement for the UK GDPR – the Data Protection and Digital Information Bill (DPDIB) – is still progressing through Parliament after the Conservative-led government said it was "limiting the potential of our businesses," with digital minister Michelle Donelan vowing to cut data protection "red tape" for the "newly independent nation free of EU bureaucracy."

In a statement, O'Carroll said: "While the case is being brought by an individual data subject in the UK against Facebook, a win could set a precedent for millions of users of search engines or social media in the UK and EU who have been forced to accept invasive surveillance and profiling to use digital platforms."

Meta told The Register: "Protecting the privacy and security of people's data is fundamental to how our business works. That's why we've invested heavily in features like Privacy Check-up and Ads Preferences that provide more transparency and controls for people to understand and manage their privacy preferences."

Earlier this month, Meta said it would make more than of 11,000 employees redundant following the dramatic decline in profits and the subsequent share price dive at the end of October.

As some commentators have noted, the lawsuit goes to the heart of Facebook's business model, and if there's anything shareholders like worse than throwing billions of dollars at an unprofitable Metaverse, it's demonetizing some of the data that fuels current ad sales, so this is one to watch. ®

More about


Send us news

Other stories you might like