In a milestone for data privacy laws, the UK Supreme Court recently ruled that the British government acted unlawfully by handing the US information on two suspected Isis terrorists without assurances the death penalty would not be used.
For the first time, the UK Data Protection Act (DPA) was directly considered by the Supreme Court. Then Home Secretary Sajid Javid was found to have breached UK data protection laws when he shared witness statements to assist US law enforcement in terrorism investigations.
Mr. El Sheik and Mr. Kotey, alleged to have been part of terrorist cell, were captured by the Syrian Democratic Forces in 2018. They were believed to be part of a notorious group nicknamed “The Beatles,” responsible for the deaths of US and British citizens.
The UK Government had assembled witness statements relating to the terrorist activities of both men. The US, having custody of the men, made an MLAT request of the UK for this material. In accordance with its long-standing policy of opposition to capital punishment, the UK Government requested that the material would not be deployed in obtaining the death penalty.
The US refused to give any such assurances, however, the UK Government went ahead and complied with the US request. There were two questions for the court:
(1) Whether the common law prevents the Home Secretary from providing evidence to a foreign state that will facilitate the imposition of the death penalty.
(2) Whether the transfer of personal data under the MLAT was lawful under the DPA.
The first question was answered “no” by the court, i.e. that it is lawful for evidence to be provided to a foreign state even if that evidence may be used to impose the death penalty. On the second question, the court emphatically concluded that the transfer of data was unlawful.
On 25 March 2020, the UK Supreme Court unanimously confirmed in Elgizouli v Secretary of the State for the Home Department, UKSC 10 that personal data cannot be transferred to the US pursuant to an otherwise lawful request under the UK/US Mutual Legal Assistance Treaty (MLAT) unless the requirements of the UK’s Data Privacy Act 2018 were also satisfied.
The Court held that strict compliance with the statutory criteria of the DPA was essential for the transfer of data to be lawful. Javid had made his decision based on “political expediency rather than consideration of strict necessity under the statutory criteria”.
The DPA implements the EU Law Enforcement Directive 2016/680 and sets out the conditions which must be satisfied before transferring data to countries outside of the EU.
The court, having heard from the UK Information Commissioner’s Office (ICO) who intervened in the proceedings, concluded that: “The clear purpose of the provisions is to set out a structured framework for decision-making, with appropriate documentation. This did not happen in this case, and to that extent there was a clear breach of the Act.”
Five key lessons for Data Controllers and Processors
A high bar involving strict compliance with the UK DPA and GDPR has now been set. The court’s preparedness to strike down the actions of the Home Secretary in a serious terrorism case because of non-compliance with data privacy sends out a clear signal to all data controllers and processors.
Controllers and processors must have documented basis for the processing of personal data. This means that written assessments underpinning the transfer will need to be compiled at the time, but the form and detail of these remains an open question for the future.
All controllers and processors need to ensure that international data transfers are covered by one of the statutory/GDPR gateways and are properly evidenced.
The ICO will be emboldened by this decision in any future enforcement actions and will see it as a vindication of the importance of data privacy laws.
This is a wake-up call for law enforcement of their role as data controllers/processors, particularly when making international transfers of personal data. Given the importance of international cooperation, particularly in borderless crime such as bribery, fraud, money laundering, market abuse and anti-competitive behavior, it is critical for enforcement agencies to comply with data privacy laws.