Data, Privacy and Digital Disputes: GDPR, Nuisance, Social Media and SaaS

UK GDPR Article 15 SARs and Article 82 compensation, PECR nuisance marketing, online platform content moderation under the OSA 2023, social media defamation, AI services and SaaS subscription disputes.

ICO / Ofcom / Court for HRA and damages

7 sub-sectors covered

Data and digital disputes are governed by a layered framework. The Information Commissioner's Office (ICO) is the regulator for UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003. Ofcom regulates online safety under the Online Safety Act 2023 and continues to regulate the telecoms aspects of online services. Most consumer-facing online platforms have no dedicated ombudsman; the routes are direct rights against the controller, ICO complaint, and where injury or damages are involved, court.

The dominant procedural anchors are these. UK GDPR Article 12 to 23 set the data subject rights (access, rectification, erasure, restriction, portability, objection, automated-decision rights). Article 82 gives a right to compensation for material or non-material damage caused by a breach. The Lloyd v Google decision in the Supreme Court (November 2021) makes it materially harder to claim compensation for "mere loss of control" of data without proof of damage; substantial-damage cases remain actionable.

Key Legislation

UK GDPR (esp. Articles 12-23 data subject rights; Article 82 compensation)
Data Protection Act 2018
Privacy and Electronic Communications Regulations 2003 (SI 2003/2426)
Online Safety Act 2023
Computer Misuse Act 1990
Defamation Act 2013
Consumer Rights Act 2015 (Part 1 Chapter 3, ss.33-47 digital content)
Consumer Contracts Regulations 2013 (SI 2013/3134)
Digital Markets, Competition and Consumers Act 2024

Complaint Route

ICO / Ofcom / Court for HRA and damages

Always complain to the company directly first. Give them 8 weeks to respond. If unresolved, escalate to the relevant ombudsman or ADR scheme listed above. EvenStance guides you through every step.

The most common data, privacy and digital disputes

Data protection breaches and SARs. Under UK GDPR Article 15, the data subject has a right to access their personal data held by a controller. The controller must respond within one month (extendable to three months for complex requests). No fee for a first request. Where the controller fails to respond, misses the deadline, or provides incomplete data, the consumer can complain to the controller, then the ICO. Civil claims for compensation under Article 82 run through court.

Nuisance marketing. PECR 2003 governs marketing by phone, text, email, and post. Unsolicited live marketing calls to consumers registered with the Telephone Preference Service are unlawful. Unsolicited email and text marketing without prior consent is unlawful. Cookie consent must be specific, informed and freely given (the "soft opt-in" exception is narrow). The ICO enforces; consumers report nuisance and can also claim civil damages under PECR 30.

Online platform disputes (content moderation, account closures). Largely contractual under the platform's terms. Most platforms have substantial latitude to remove content and close accounts. The Online Safety Act 2023 imposes user empowerment, content-moderation, and complaints duties on user-to-user services, but the operative rules for many duties were still being phased in through 2024-2026 codes of practice. Where the platform's decision was procedurally unfair or breached its own published terms, the consumer's claim is contractual; small claims is the residual route.

Social media defamation. Defamation Act 2013 framework. Section 1 requires the consumer to show serious harm; for trading entities, serious financial loss. Section 5 provides a defence for operators of websites where they identify the poster or comply with a removal request, subject to the conditions in the Defamation (Operators of Websites) Regulations 2013. Civil claims run through court; one-year limitation under s.4A of the Limitation Act 1980, extendable by the court under s.32A.

AI services. A developing area. Where the AI service makes incorrect statements (hallucinations) that cause loss, the route depends on the supplier's terms and the underlying claim. Consumer contracts under CRA 2015 cover supply of digital content (ss.33 to 47): digital content must be of satisfactory quality (s.34), fit for purpose (s.35), and as described (s.36). The AI provider's broad disclaimers are subject to fairness review under s.62. The Government has published policy proposals for cross-economy AI regulation, but as at May 2026 no consolidated AI Act is in force.

SaaS and app subscriptions. CCR 2013 (14-day cooling-off for new online subscriptions), CRA 2015 (digital content quality and fairness of terms), DMCCA 2024 Part 4 (subscription-trap provisions, phased commencement). Subscription auto-renewals without clear pre-contract disclosure are at risk under s.62 of the CRA 2015.

Cloud storage and lost data. Where a cloud storage provider has lost the consumer's data through its own fault, the consumer's claim is contractual under the provider's terms and supported by CRA 2015 s.34 (satisfactory quality of digital content) and s.42 (consumer's right to refund where the digital content does not conform). Substantial limitation-of-liability terms are subject to s.62.

The first fob-off and the rebuttal that works

Data controllers' first responses cluster around three patterns. First, the SAR response is incomplete; key documents are missing. The rebuttal is to identify what is missing by reference to what the controller's processing operations clearly include (the privacy policy is a useful reference for the scope), and to write back requesting the missing material. The ICO is the escalation if the controller will not engage.

Second, the controller invokes a UK GDPR exemption (legal privilege, third-party data, criminal investigation) for the missing material. The rebuttal is to ask the controller to specify the exemption with reference to the statutory provision (Schedule 2 of the Data Protection Act 2018 is the principal source). Blanket exemption claims that do not engage with the consumer's specific data are challengeable.

Third, online platforms cite "our terms" to justify content removal or account closure. The rebuttal is twofold: the terms are subject to fairness review under s.62 of the CRA 2015, and the platform's own published process must be followed. Where the platform's process was not followed, the consumer's claim is procedural.

Escalation path

For UK GDPR and Data Protection Act 2018 complaints: controller first, then the ICO. ICO can issue enforcement notices, monetary penalties (up to £17.5m or 4% of global turnover for the most serious breaches), and recommendations. Civil compensation claims under UK GDPR Article 82 run through court under s.5 of the Limitation Act 1980 (six years from breach), with the Lloyd v Google judgment shaping what damage is compensable.

For PECR breaches (nuisance marketing): ICO and civil claim under PECR 30.

For online platform disputes: platform's process, then small claims for financial loss; Online Safety Act 2023 framework where applicable (Ofcom is the regulator but does not adjudicate individual disputes).

For social media defamation: Defamation Act 2013 framework; civil claim through court; one-year limitation under s.4A Limitation Act 1980.

For SaaS and app subscriptions: provider's complaints process; chargeback or s.75 for credit-card-funded subscriptions; small claims for residual financial loss.

What it costs and how long it takes

ICO complaints are free. Civil claims for compensation through court bear the standard court fees and costs. Small claims is the route for low-value digital disputes.

ICO complaint handling has been variable; routine SAR-failure complaints typically resolve in three to six months from referral, but enforcement against major controllers can take much longer.

How EvenStance helps with data, privacy and digital

Frank's data and digital flow drafts the SAR under Article 15, the complaint to the controller for procedural failures, the ICO complaint, and (for substantive damages) the pre-action correspondence under UK GDPR Article 82. The platform's defamation flow drafts the Notice of Complaint under the Defamation (Operators of Websites) Regulations 2013 and tracks the operator's response window.

Sub-sectors Covered

Data Protection / GDPR / PrivacyMarketing / Nuisance Calls / SpamOnline Platforms - Content ModerationSocial Media DisputesAI ServicesTech / SaaS / App SubscriptionsCloud Storage / Lost Data

Frequently Asked Questions

How do I make a GDPR complaint?

Exercise your rights (access under Article 15, erasure under Article 17, rectification under Article 16, restriction under Article 18, objection under Article 21) with the organisation first. If they fail to respond within one month (extendable to three months for complex requests), complain to the Information Commissioner's Office. The ICO can investigate and issue enforcement notices or fines; consumer financial compensation requires a court claim under UK GDPR Article 82.

Can I claim compensation for a data breach?

Yes, under UK GDPR Article 82, where the breach caused material damage (financial loss, identifiable detriment) or non-material damage (distress, time, loss of control). The Lloyd v Google judgment in the Supreme Court (November 2021) makes it materially harder to claim for "mere loss of control" without proof of damage, but substantial-damage cases remain actionable.

A company keeps calling me even though I am on the TPS. What can I do?

Unsolicited live marketing calls to TPS-registered numbers are unlawful under PECR 2003. Complain to the company first and ask for evidence of their lawful basis for calling. Complain in parallel to the Information Commissioner's Office. The ICO has imposed substantial fines on serial PECR breachers. A civil claim is available under PECR 30 for damages where the consumer can prove loss.

A social media platform has banned my account without notice. What is my route?

The contractual relationship is between you and the platform; the platform's terms typically allow substantial latitude. Where the platform did not follow its own published process, the claim is contractual. Where the terms purport to allow arbitrary removal, the fairness framework under s.62 of the Consumer Rights Act 2015 may apply. The Online Safety Act 2023 imposes complaints duties on user-to-user services; check the platform's current complaints policy under the OSA framework. Small claims is the residual route for financial loss.

My SaaS subscription auto-renewed at a higher rate. Can I get a refund?

Possibly. Where the auto-renewal at the higher rate was not clearly drawn to your attention at sign-up, the term is at risk under s.62 of the Consumer Rights Act 2015 (fairness) and s.68 (transparency). Where the auto-renewal occurred within 14 days of original purchase and the contract was distance, CCR 2013 cooling-off applies. The DMCCA 2024 Part 4 subscription-trap reforms strengthen consumer rights as commencement progresses.

An AI service gave me wrong information that led to a loss. Do I have a claim?

The consumer rights framework under CRA 2015 (Part 1 Chapter 3, digital content) applies. Digital content must be of satisfactory quality (s.34), fit for purpose where the consumer made known the particular purpose (s.35), and as described (s.36). Where the AI service's terms include broad disclaimers, those terms are subject to fairness review under s.62. The substantive area is developing; specialist legal advice is often appropriate for material losses.