Could a recent Supreme Court decision on information sharing lead to “terrorists” escaping justice? Part 3 of the Data Protection Act 2018 (DPA) regulates the processing of personal data for law enforcement purposes by Competent Authorities which includes, amongst others, government departments and the police.
The case of Elgizouli (Appellant) v Secretary of State for the Home Department (Respondent)  UKSC 10 is interesting because it examines the application of GDPR’s less well-known cousin to a complex situation involving the possible extradition of alleged terrorists to the United States. The Supreme Court ruled that the UK acted unlawfully by personal data with the US that could lead to the execution of two British citizens accused of being part of an Islamic State murder squad known as “The Beatles”. Seven justices concluded that the decision in 2018 by the Home Secretary breached Part 3 of the DPA.
Shafee Elsheikh and Alexander Kotey are currently in US custody in Iraq having been linked to 27 murders in Syria carried out by “The Beatles”. In June 2015, the US made a mutual legal assistance (MLA) request to the UK in relation to an investigation into the activities of that group. The then Home Secretary, Sajid Javid, requested an assurance that any information the UK supplied would not be used by the US, directly or indirectly, in a prosecution that could lead to the imposition of the death penalty on the two men. The US refused to provide this assurance and, in June 2018, Mr Javid agreed to provide the information anyway.
Elsheikh’s mother, Maha Elgizouli, challenged (by way of judicial review) the Home Secretary’s decision to share that information with the US, not to prevent him from being prosecuted and jailed but, to protect him from the death penalty. Her claim was dismissed by the High Court, which certified two legal questions of public importance for the Supreme Court to answer:
- Whether it is unlawful for the Secretary of State to exercise his power to provide an MLA so as to supply evidence to a foreign state that will facilitate the imposition of the death penalty in that state on the individual in respect of whom the evidence is sought.
- Whether (and if so in what circumstances) it is lawful under Part 3 of the DPA, as interpreted in the light of relevant principles of EU data protection law, for law enforcement authorities in the UK to transfer personal data to law enforcement authorities abroad for use in capital criminal proceedings.
The Supreme Court allowed the appeal. Most of the Justices dismissed the challenge brought under the common law (question 1 above) to the Home Secretary’s decision but they unanimously held that the decision failed to comply with part 3 of the DPA (question 2). Data Protection professionals, especially those in law enforcement agencies, will be particularly interested in the court’s analysis of the rules relating to international transfers, as set out in Chapter 5 of the DPA
Section 73 of the DPA, like Article 49 of the GDPR, prohibits transfers of personal data to a third country unless a number of conditions are met. Condition two is that the transfer :
“(a) is based on an adequacy decision (see section 74),
(b) if not based on an adequacy decision, is based on there being appropriate safeguards (see section 75), or
(c) if not based on an adequacy decision or on there being appropriate safeguards, is based on special circumstances (see section 76)”
The court noted that the transfer in question was not based on an adequacy decision; nor was it based on appropriate safeguards which are set out in Section 75(1):
“A transfer of personal data to a third country or an international organisation is based on there being appropriate safeguards where—
(a) a legal instrument containing appropriate safeguards for the protection of personal data binds the intended recipient of the data, or
(b) the controller, having assessed all the circumstances surrounding transfers of that type of personal data to the third country or international organisation, concludes that appropriate safeguards exist to protect the data.”
The lawfulness of the transfer therefore stands or falls on the “special circumstances” condition in section 73. This will only apply, according to section 76, if the transfer is necessary for any of the following five purposes:
“(a) to protect the vital interests of the data subject or another person,
(b) to safeguard the legitimate interests of the data subject,
(c) for the prevention of an immediate and serious threat to the public security of a member State or a third country,
(d) in individual cases for any of the law enforcement purposes, or
(e) in individual cases for a legal purpose.”
The court ruled that a transfer on the basis of special circumstances can only occur following an assessment of what is strictly necessary. Such an assessment was not made by the Home Secretary before sharing the information with the US. Hence the transfer was unlawful. Lord Carnwath said:
“The decision was based on political expediency, rather than consideration of strict necessity under the statutory criteria.”
Furthermore, in relation to the special circumstances gateway, section 76(2) states:
“Subsection (1)(d) and (e) do not apply if the controller determines that fundamental rights and freedoms of the data subject override the public interest in the transfer”.
Lady Hale found that these “fundamental rights and freedoms” include the rights protected by the European Convention on Human Rights, the most fundamental of which is the right to life. This points towards an interpretation of section 76(2) which, even if an assessment had been made, would not allow the transfer of personal data to facilitate a prosecution which could result in the death penalty for UK citizens.
So there you have it; a very careful analysis by the Supreme Court of the international transfer provisions under Part 3 of the DPA. There must now be a further court decision over what the UK must do to comply with the law, including potentially asking the US to return the shared information. This could lead to the two individuals in question avoiding extradition to the US where they would, if convicted, face the death penalty. Of course, the UK government can still bring them back to the UK to face justice.
This and other developments will be discussed in our forthcoming information law webinars. We have created a policy pack containing essential document templates to help you meet the requirements of Part 3 of the DPA 2018.