The British government acted unlawfully by handing the US information on two suspected Isis terrorists without assurances the death penalty would not be used, the Supreme Court ruled last month.
In this landmark judgement, then Home Secretary Sajid Javid was found to have breached UK data protection laws when he shared witness statements to assist US law enforcement in terrorism investigations.
This is the first time the UK Data Protection Act (DPA) has been directly considered by the Supreme Court.
On 25 March 2020, the UK Supreme Court unanimously confirmed in Elgizouli v Secretary of the State for the Home Department UKSC 10 that personal data cannot be transferred to the US pursuant to an otherwise lawful request under the UK / US Mutual Legal Assistance Treaty (MLAT) unless the requirements of the UK’s Data Privacy Act 2018 were also satisfied.
The Court held that strict compliance with the statutory criteria of the DPA was essential for the transfer of data to be lawful. Javid had failed to “address his mind” to Part 3 of the DPA with the court finding that he made his decision based on “political expediency rather than consideration of strict necessity under the statutory criteria”.
Background to the case
The case was brought by the mother of Mr. El Sheikh, alleged to have been a member of a terrorist group operating in Syria responsible for the heinous deaths of US and British citizens, including the beheadings of 27 men. Mr. El Sheik and Mr. Kotey were captured by the Syrian Democratic Forces in January 2018 and were believed to be part of a notorious group nicknamed “the Beatles” on account of their British accents. They are currently held in US custody in an undisclosed location.
The UK Government had assembled witness statements relating to the terrorist activities of both men. The US, having custody of the men, made an MLAT request of the UK for this material. In accordance with its long-standing policy of opposition to capital punishment, the UK Government requested that the material would not be deployed in obtaining the death penalty. The US refused to give any such assurances, however, the UK Government went ahead and complied with the US request.
There were two questions for the court:
(1) Whether the common law prevents the Home Secretary from providing evidence to a foreign state that will facilitate the imposition of the death penalty.
(2) Whether the transfer of personal data under the MLAT was lawful under the DPA.
The first question was answered “no” by the court, i.e. that it is lawful for evidence to be provided to a foreign state even if that evidence may be used to impose the death penalty. On the second question, the court emphatically concluded that the transfer of data was unlawful.
The rationale for the decision
The DPA implements the EU Law Enforcement Directive 2016/680 and sets out the conditions which must be satisfied before transferring data to countries outside of the EU. The other requirements are:
(1) A European Commission adequacy decision (i.e. a decision that the data privacy laws of the receiving country offer equivalent protections to those of the EU). It was agreed that there is no adequacy decision in favour of the US. The extent of US ‘adequacy’ is limited to organisations under the EU-US Privacy Shield and not applicable in the context of this case;
(2) Appropriate safeguards are in place (if no adequacy decision);
(3) Special circumstances exist (if no adequacy decision or appropriate safeguards). Special circumstances include protection of vital interests, safeguard legitimate interests, immediate threats to public security.
The court, having heard from the UK Information Commissioner’s Office (ICO) who intervened in the proceedings, concluded that “The clear purpose of the provisions is to set out a structured framework for decision-making, with appropriate documentation. This did not happen in this case, and to that extent there was a clear breach of the Act”.
What are the wider implications for Data Controllers and Processors?
There are some key lessons to learn from this decision:
1. A high bar involving strict compliance with the UK DPA and GDPR has now been set. The court’s preparedness to strike down the actions of the Home Secretary in a serious terrorism case because of non-compliance with data privacy should send out a clear signal to all data controllers and processors.
2. Controllers and processors must have documented basis for the processing of personal data. This means that written assessments underpinning the transfer will need to be compiled at the time, but the form and detail of these remains an open question for the future.
3. All controllers and processors need to ensure that international data transfers are covered by one of the statutory / GDPR gateways and are properly evidenced.
4. The ICO will be emboldened by this decision in any future enforcement actions and will see it as a vindication of the importance of data privacy laws.
5.This is a wake-up call for law enforcement of their role as data controllers / processors, particularly when making international transfers of personal data. Given the importance of international cooperation, particularly in borderless crime such as bribery, fraud, money laundering, market abuse and anti-competitive behaviour, it is critical for enforcement agencies to comply with data privacy laws.
The full ruling is expected in the near future. Until then, data controllers and processors will need to hold their breath.
International transfers of data based on the EU-US Privacy Shield may soon be thrown into doubt again with the Court of Justice of the European Union being asked by the Austrian privacy activist, Max Schrems, to rule on whether the EU-US Privacy Shield offers adequate levels of protection for EU data subjects.
Simon Taylor, Partner and Certified Data Privacy Expert, Forensic Risk Alliance