The UK’s data privacy laws have recently been used to declare as unlawful the transfer of personal data by the UK Home Secretary to US law enforcement in death penalty cases. The then Home Secretary Sajid Javid acted unlawfully and in violation of UK data privacy laws when sending witness statements to assist US law enforcement in terrorism investigations. FRA Partner Simon Taylor reviews key facts of the case and highlights five wider lessons to take away for data controllers and processors.
What are the wider implications of the UK Supreme Court’s landmark decision on unlawful international transfer of personal data?
On 25 March 2020, the UK Supreme Court unanimously confirmed in Elgizouli v Secretary of the State for the Home Department  UKSC 10 that personal data cannot be transferred to the US pursuant to an otherwise lawful request under the UK / US Mutual Legal Assistance Treaty (MLAT) unless the requirements of the UK’s Data Privacy Act 2018 (DPA) were also satisfied. The Court held that strict compliance with the statutory criteria for International Data Transfer contained in Part 3 of the DPA was essential for the transfer of data to be lawful. It was common ground in the case that the Home Secretary, Sajid Javid, had entirely failed to “address his mind” to Part 3 of the DPA with the court finding that he made his decision based on “political expediency rather than consideration of strict necessity under the statutory criteria”.
Background to the Case
The case was brought by the mother of a man, Mr. El Sheikh, who was alleged to have been a member of a terrorist group operating in Syria responsible for the heinous deaths of a number of US and British citizens, including the beheadings of 27 men. Mr. El Sheik together with an associate of his, Mr. Kotey, were captured by the Syrian Democratic Forces in January 2018 and were believed to be part of a notorious group nicknamed “the Beatles” on account of their British accents. They are currently held in US custody in an undisclosed location.
The UK Government had assembled a large number of witness statements relating to the terrorist activities of British citizens in Syria including Mr. El Sheikh and Mr. Kotey. The US, having custody of the men, made an MLAT request of the UK for this material. In accordance with its long-standing policy of opposition to capital punishment, the UK Government requested assurances that the material would not be deployed in obtaining the death penalty. The US refused to give any such assurances but despite this the UK Government went ahead and complied with the US request.
There were two questions for the court: (1) whether the common law prevents the Home Secretary from providing evidence to a foreign state that will facilitate the imposition of the death penalty, and (2) whether the transfer of personal data under the MLAT was lawful under Part 3 of the DPA.
The first question was answered “no” by the majority of the court, i.e. that it is lawful for evidence to be provided to a foreign state even if that evidence may be used to impose the death penalty. However, on the second question, the DPA ground, the court emphatically concluded that the transfer of data was unlawful.
The Rationale for the Decision
Part 3 of the DPA implements the EU Law Enforcement Directive 2016/680 (“LED”) and sections 73-76 set out the conditions which must be satisfied before transferring data to countries outside of the EU. In addition to the transfer being necessary for a law enforcement purpose, the other requirements are:
(1) A European Commission adequacy decision (i.e. a decision that the data privacy laws of the receiving country offer equivalent protections to those of the EU). It was agreed that there is no adequacy decision in favour of the US. The extent of US ‘adequacy’ is limited to organisations under the EU-US Privacy Shield (see below for further discussion of this) and not applicable in the context of this case;
(2) Appropriate safeguards are in place (if no adequacy decision);
(3) Special circumstances exist (if no adequacy decision or appropriate safeguards). Special circumstances can include protection of vital interests, safeguard legitimate interests, immediate threats to public security etc.).
It is worth noting here that the provisions of the LED and Part 3 of the DPA are similar in structure to those in the General Data Protection Regulation (“GDPR”) concerning international data transfers in non-law enforcement cases (see Articles 44-50), particularly in relation to transfers based on adequacy decisions (Art. 45), appropriate safeguards (Art. 46, including standard contractual clauses or binding corporate rules) and special circumstances (Art. 49, derogations for special circumstances).
The court, having heard from the UK Information Commissioner’s Office (“ICO”), who intervened in the proceedings, concluded that “The clear purpose of the provisions [of Part 3 of the DPA] is to set out a structured framework for decision-making, with appropriate documentation. This did not happen in this case, and to that extent there was a clear breach of the Act”.
What are the wider implications for Data Controllers and Processors?
There are at least five key lessons to learn from this decision, which is the first occasion that the UK DPA has been directly considered by the Supreme Court.
(1) A high bar involving strict compliance with the UK DPA and GDPR has now been set. The court’s preparedness to strike down the actions of the Home Secretary in a terrorism case of this seriousness because of non-compliance with data privacy should send out a very clear signal to all data controllers and processors.
(2) Controllers and processors must have a clear and documented basis for the processing of personal data (the court emphasised the need for “conscious and contemporaneous” consideration of the statutory tests). This means that written assessments underpinning the basis of transfer will need to be compiled at the time, but the form and detail of these remains an open question for the future.
(3) International transfers of data require particular care – all controllers and processors need to ensure that data transfers are covered by one of the statutory / GDPR gateways and are properly evidenced. This is particularly challenging when the international data transfer provisions of the LED and GDPR are, as illustrated by the Supreme Court in its detailed ruling, complex and capable of more than one interpretation.
(4) The ICO will be emboldened by this decision in any future enforcement actions and will see it as a vindication of the importance of data privacy laws more broadly – the ICOs submissions on the importance and operation of the DPA were broadly accepted by the Supreme Court Justices.
(5) Finally, this is a wake-up call for law enforcement who will be reminded by this case of their role as data controllers / processors, particularly when making international transfers of personal data. Given the central importance of international cooperation, particularly in borderless crime such as bribery, fraud, money laundering, market abuse and anti-competitive behaviour, which is necessary both at the investigative stage and at the point of case disposal (whether through trial or deferred prosecution agreements), it will be critical for enforcement agencies themselves to strictly comply with data privacy laws.
International transfers of data based on the EU-US Privacy Shield may soon be thrown into doubt again with the Court of Justice of the European Union (“CJEU”) being asked by the Austrian privacy activist, Max Schrems, to rule on whether the EU-US Privacy Shield (or Standard Contractual Clauses “SCC”) offer adequate levels of protection for EU data subjects (this is known as “Schrems II” as it follows Max Schrems’ successful challenge in 2015 to the EU-US ‘Safe Harbour’ arrangement, which led to the Privacy Shield).
The Advocate General to the CJEU published his advisory opinion on these two issues on 19 December 2019 in which he upheld the validity of SCCs but has questioned the adequacy of the Privacy Shield. The full ruling is expected in the near future and until then data controllers and processors will need to hold their breath.