Lorna Woods, Professor of Internet Law, University of Essex

Introduction

The Elgizouli case marks the first UK Supreme Court ruling on the Data Protection Act 2018 (DPA). The key takeaway is that simply mostly complying with the Act’s requirements isn’t enough to legalize data transfers to other countries. This judgment centers around Part Three of the DPA, which puts the Law Enforcement Directive into action and emphasizes procedural safeguards. However, the court’s methodology might have broader consequences for how UK courts interpret the DPA and the GDPR, particularly regarding the protection of individual rights outlined in the European Court of Human Rights (ECHR).

Facts

Eligizouli’s son was implicated in the killing of UK citizens in Syria. During its investigation into the group believed to be responsible, the US submitted a mutual legal assistance (MLA) request to the UK for information. Theresa May, then Home Secretary, asked for guarantees that the information wouldn’t be used, directly or indirectly, in a prosecution that could result in the death penalty. The US declined to provide such an assurance. Nevertheless, a later Home Secretary, Sajid Javid, approved the data transfer.

Eligizouli initiated a judicial review, raising two key questions: first, whether common law prevented the Home Secretary from exercising such powers, and second, whether the transfer was legal under the DPA, interpreted through the lens of EU law. The appellant specifically argued that the Home Secretary’s decision unlawfully violated several aspects of the DPA, including data protection principles, international transfer rules, and special processing limitations. It was further contended that the Home Secretary hadn’t considered the DPA’s mandated duties. Initially, the Divisional Court ruled that the Home Secretary had demonstrated “substantial compliance” with the Act and could rely on “special circumstances” for the transfer.

Judgment

The Supreme Court determined, by majority, that common law hadn’t evolved to inherently prohibit MLA provisions that might indirectly support the death penalty. However, the Court unanimously agreed that the Home Secretary’s decision violated the DPA, specifically regarding the conditions for transferring data to another country. Lord Kerr’s judgment, though he was in the minority on the common law issue, was the leading opinion. Lady Hale offered a concise summary of the judgments.

All parties concurred that Part 3 of the DPA was relevant, meaning the case involved personal data processing for “law enforcement purposes” by a “competent authority.” It was also undisputed that the Home Secretary didn’t explicitly consider their DPA obligations.

The judgment primarily focused on the conditions for transferring data to the US, governed by sections 73-76 of the DPA. Notably, data transfer is only allowed if the three conditions in section 73(1)(a) are met. The first condition (section 73(2)) mandates that the transfer be “necessary for any of the law enforcement purposes.” The second condition (section 73(3)) outlines three permissible transfer scenarios: based on an adequacy decision (simplifying transfers) as per section 74; in the absence of such a decision, if appropriate safeguards exist according to section 75; or if neither of the first two apply, based on special circumstances following section 76. The third condition pertains to the recipient of the information.

The Court agreed that the Home Secretary’s decision wasn’t based on an adequacy decision or appropriate safeguards as defined in section 75. Therefore, the decision’s legality hinged on the existence of “special circumstances.” The Court didn’t address whether “special circumstances” could only be invoked if the first two categories didn’t apply. Section 76(1) outlines five specific purposes that constitute “special circumstances,” including protecting vital interests, safeguarding legitimate interests, addressing imminent threats to public security, and individual cases for law enforcement or legal purposes.

The Court interpreted “special circumstances” as requiring a specific evaluation of these conditions. They stated that section 73 aimed to establish a structured decision-making framework with proper documentation. This, as the ICO argued, necessitates a “conscious and contemporaneous” assessment of the statutory criteria before any transfer. This proactive assessment was absent in this case. The Home Secretary’s failure to consider their data controller duties meant the “special circumstances” justification for the transfer wasn’t applicable.

A further question arose regarding the impact of “fundamental rights and freedoms” mentioned in section 76(2), which Lady Hale argued includes the right to life under Article 2 of the ECHR. She argued, though not binding in this instance, that this points to interpreting section 76(2) as prohibiting data transfers that could facilitate a prosecution potentially leading to the death penalty. Lord Carnwath suggested that not considering this point further invalidates the Home Secretary’s decision; Lord Hodge acknowledged its validity but reserved judgment as it wasn’t fully argued.

Lord Kerr dissented, arguing that processing the data (i.e., transferring it as part of the MLA) was unlawful and unfair, thus violating the data protection principles in section 34 DPA. This conclusion stemmed from his unique view that common law would prevent the Home Secretary from acting in this manner.

Comment

This judgment might be seen as narrow in scope, providing protection solely through procedural means. This interpretation would leave the Home Secretary free to reach the same decision after addressing the outlined issues. Similarly, the court’s approach to common law and its emphasis on incremental development demonstrate deference to legislative primacy, especially concerning the exercise of prerogative powers.

However, the judgment holds broader significance in its interpretation of the DPA, particularly how its provisions should be understood. This approach contrasts sharply with that of lower courts, which may now shift direction.

The Supreme Court stresses the importance of data controllers actively engaging with DPA requirements. Concerns arose in this case because the Home Secretary completely disregarded the 2018 Act. Thus, utilizing any gateway in section 73 seems to require considering the safeguards, regardless of the mechanism employed. Lord Carnwath draws a crucial distinction regarding safeguards and special circumstances, stating that merely considering factors differs from basing a decision on their existence. This distinction raises the bar for the required standards. The Supreme Court didn’t address whether the three gateways have a hierarchical order, where each must be considered and ruled out before proceeding to the next.

The Supreme Court also affirmed the approach to interpreting “necessary” in section 76(1) regarding objectives related to “special circumstances,” which should be understood in light of Recital 72 of the LED. While the Divisional Court used Recital 72 to justify not seeing this case as problematic (citing the example of mass surveillance), the Supreme Court emphasized that any transfer must be “strictly necessary.” This strictness implies a narrow interpretation of section 76, consistent with the EU law approach to derogations, and mandates considering the transfer’s proportionality.

Lady Hale’s non-binding views on section 76(2) DPA, which the rest of the Court found compelling, suggest the Supreme Court is taking a strict compliance approach. Her argument posits that even a necessary and proportionate transfer might be overridden by data subject rights enshrined in various instruments, including the ECHR. These rights extend beyond data protection and privacy to encompass all protected rights. Lady Hale specifically highlights the right to life (Article 2 ECHR), implying that the protection offered is not merely procedural but could involve assessing the substance of these rights. Crucially, she emphasized that fundamental rights are protected regardless of nationality or residence, suggesting these protections might have extraterritorial effects, potentially extending beyond the jurisdiction where data is transferred.

While undeniably significant for data transfers under the LED, the judgment’s implications extend further. The data transfer provisions in this context share structural similarities with Article 49 GDPR, which addresses transfers in specific situations. It’s conceivable that British courts might employ a similar analytical framework in such cases.

Finally, it’s worth considering this decision’s impact on the EU Commission’s potential data protection adequacy decision for the UK post-Brexit. This decision would streamline data transfers from the EU to the UK. On the one hand, this case highlights administrative shortcomings that might hinder an adequacy decision. Conversely, the Supreme Court’s approach could reassure that independent UK courts effectively oversee data protection rights. Ultimately, the outcome might depend on the Government’s response to this judgment.

Photo credit: David Iliff, via Wikicommons