Introduction
In the recent case of Elgizouli v Secretary of State for the Home Department, the UK’s Supreme Court ruled that the UK government infringed the UK Data Protection Act 2018 (‘the DPA 2018’) with regard to law enforcement data transfer made in that matter to the US. This article sets out the highlights of the ruling.
What’s this all about?
The individual concerned was alleged to have been one of a group of Islamic State terrorists operating in Syria, involved in the murder of US and British citizens. In June 2015, the US made a so-called mutual legal assistance (‘MLA’) request to the UK government in relation to an investigation into the activities of that group. The UK requested an assurance that the information would not be used directly or indirectly in a prosecution that could lead to the imposition of the death penalty. Although the US refused to provide a full death penalty assurance the UK nevertheless agreed to provide the information (which contained personal data) to the US without requiring any assurance.
A legal challenge was brought before the courts as regards whether: (i) it was unlawful for the UK to provide MLA so as to supply evidence to a foreign state that would facilitate the imposition of the death penalty in that state on the individual in question; and, (ii) whether it was lawful under the DPA 2018 for law enforcement authorities in the UK to transfer personal data to law enforcement authorities abroad for use in capital criminal proceedings; the UK DPA 2018 contains specific data protection law enforcement processing provisions (Part 3) including a section on international data transfers (Chapter 5).
What was the court’s ruling?
Whilst the court ruled that the common law did not recognise a principle prohibiting the provision of MLA that would facilitate the death penalty, it unanimously ruled that the UK government’s decision failed to comply with the DPA 2018, for the following reasons:
- Under the DPA 2018, UK authorities can transfer personal data aboard (here to US authorities) for law enforcement purposes, but only subject to three conditions;
- The three conditions under which a transfer can be made are if it is based on: (i) either, a so-called EU ‘adequacy decision’; or. (ii) there being ‘appropriate safeguards’ (as set out under the DPA 2018); or, (iii) based on ‘special circumstances’ (also as set out under the DPA 2018);
- The court ruled that the transfer was not subject to an ‘adequacy decision’, nor had ‘appropriate safeguards’ been put in place, and the requirements for ‘special circumstances’ (which seemed to have been the most likely possible grounds for the data transfer in question) were not met;
- Because the data transfer legal criteria had not been met, the UK government’s decision seemingly having been made more on the basis of political expediency, the court ruled that there had been a breach of the DPA 2018.
What are the takeaways?
At a general level this case is a reminder that international data transfers must be made on the correct legal basis – to do otherwise runs the risk of a given transfer being annulled by a court.
At another level, there is room for speculation as to whether this case will be considered as part of the EU’s ‘adequacy’ determination concerning the UK. Under the Brexit process, the EU is currently undertaking its assessment as to whether the UK offers an adequate level of data protection. If the EU comes to a positive conclusion, a practical upshot would be that personal data can flow from the EU/EEA to the UK without any further safeguards being necessary; the EU is endeavouring to adopt an ‘adequacy’ decision (or possibly decisions) by the end of 2020. The assessment can be expected to consider a range of factors. If this UK court case were to fall under that assessment, how might the EU consider it? It could be argued that, on the one hand, the UK government scores a negative, whilst, on the other hand, the UK court system scores a positive.
Resources
Cordery’s GDPR Navigator includes resources to help deal with data protection compliance. GDPR Navigator includes:
- Detailed guidance on the security aspects of GDPR in paper and on film;
- A template data breach log;
- A template data breach plan; and,
- A template data breach reporting form.
For information about our Breach Navigator tool please see here: https://www.corderycompliance.com/solutions/breach-navigator/
The UK Supreme Court’s judgment can be found here: https://www.supremecourt.uk/cases/uksc-2019-0057.html.
We have written about data protection and Covid-19 issues here: https://www.corderycompliance.com/coronavirus-covid19-and-dp/.
We report about data protection issues here: http://www.corderycompliance.com/category/data-protection-privacy/.
For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
| Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | |
| Office: +44 (0)207 075 1784 | Office: +44 (0)207 075 1785 | |
| Jonathan.armstrong@corderycompliance.com | Andre.bywater@corderycompliance.com | |
 |
 |